It’s the Right Time for National Data Breach Notification Legislation
By Patrick Gaul, Executive Director, NTSC
On September 13, the House Financial Services Committee passed H.R. 6743, the Consumer Information Notification Requirement Act. The legislation, sponsored by Subcommittee on Financial Institutions and Consumer Credit Chairman Blaine Luetkemeyer (Mo.), is a financial sector data breach notification bill with the aim of codifying federal notification guidelines for all financial institutions and preempting existing state laws. After many attempts at similar legislation over the past few years, it is a welcome step in the right direction.
Recently, I discussed national data breach notification legislation with a Fortune 500 Chief Information Security Officer (CISO) responsible for protecting a retail environment encompassing thousands of locations across the country. As a member of the National Technology Security Coalition’s (NTSC) Board of Directors (comprising about 30 Fortune 500 CISOs), this CISO shared his frustrations with me about current data breach notification legislation—or lack thereof.
Specifically, he noted the administrative costs of complying with 50 state data breach regulations and described the costs associated with establishing a post-breach notification mechanism to ensure his company meets the unique notification requirements of each state where his firm conducts business.
Stop for a second and truly consider these costs. Companies require multiple investments to achieve full compliance with each state. Are these investments helping protect consumers? No. These investments do not directly compensate any impacted consumers or improve the cybersecurity posture of the firm. Instead, these investments go toward a notification industry that arose to take advantage of a complex, muddled legislative environment—an industry only existing because we allowed a national issue to be regulated at the state level. Additionally, consumers unfairly and arbitrarily experience different data breach notification laws from state to state.
The solution isn’t rocket science. National data breach notification legislation makes sense on every level compared to the consequences of continuing with the status quo. National data breach notification legislation helps our country achieve two important goals:
- Mandate a cyber investment standard designed to improve the security posture of American businesses. This means requiring companies to achieve a specific standard of cyber protection with an appropriate investment, perhaps guided by the NIST Cybersecurity Framework or something similar.
- In the event of a data breach, ensure that all United States consumers are entitled to the same level of protection instead of protection that can vary from state to state.
After over a decade of legislative and industry handwringing about the need for a federal mandate, it is the right time to actually do something about it. Maintaining the status quo imposes an inordinate financial and administrative burden on American businesses. Instead, we must focus our efforts on protecting data and protecting consumers.
Congressman Luetkemeyer’s bill is not as comprehensive as the NTSC would prefer. The bill does not apply to all industries and does not propose a set of data security standards. However, it is directionally sound and we support the Congressman’s efforts to use this bill on the path toward finally achieving comprehensive national data breach notification legislation for all businesses.
Patrick D. Gaul is the Executive Director of the National Technology Security Coalition (NTSC), a non-profit, non-partisan organization that serves as an advocacy voice for Chief Information Security Officers (CISOs) across the United States.