A massive federal hack and a new European Union regulation have put consumer breach notification back in the spotlight after more than a decade of futility.
But it appears Congress will fall well short of passing something that could be signed into law this year.
With laws enacted this spring in Alabama and South Dakota, the 50 states now have widely divergent requirements for notifying consumers when their data has been illegally accessed.
Meanwhile, the new EU data protection rule that went into effect in May sets an unparalleled 72-hour requirement for breach notification, which will apply to any U.S. company that handles the data of an EU citizen. The rule is far tougher than the 30-day requirement found in many state laws.
But the effort to fashion a uniform standard for the United States is only inching forward.
Amid outrage over the 2017 breach at consumer credit rating agency Equifax that affected 143 million Americans, House GOP leaders instructed the Energy and Commerce and Financial Services Committee leaders to resolve longstanding differences over breach notification and produce a bill.
“Equifax gave the issue a lift this year, but the reality is this takes a lot of difficult work and it would affect everybody. The legislation would regulate everybody,” said one industry attorney closely tracking the issue. “There is still a lot more work to do.”
House lawmakers are actively working on legislation, but timing is unclear and the congressional calendar is rapidly shrinking.
“The [House] Financial Services Committee is primed to act,” said a source close to financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer, R-Mo., although there is no schedule for moving the lawmaker’s draft bill on data security and breach notification.
Separately, House Energy and Commerce digital commerce and consumer protection subcommittee Chairman Bob Latta, R-Ohio, has led a series of deep-dive “listening sessions” with business, state and consumer groups — one of the sessions, held prior to the Memorial Day recess, featured over 30 groups.
“It’s fair to say there were differences of opinion,” said one industry attorney.
For instance, the attorney said, a real-estate sector representative argued that whatever entity suffers the breach should do the public notification, while tech and telecom representatives countered that the “consumer-facing business” should do so; otherwise, consumers could be deluged with a blizzard of confusing notifications, according to that line of argument.
“There was a lot of back-and-forth, but it’s going to be hard to find consensus,” the attorney said.
Latta may hold another session soon, possibly on what constitutes the “sensitive” consumer information that would trigger the breach-reporting requirements, the attorney said.
Luetkemeyer and senior Financial Services member Carolyn Maloney, D-N.Y., have drafted a measure that includes security requirements and “immediate” consumer notification of breaches, combined with preemption of state breach-notice laws and a variety of exemptions that are controversial with consumer groups and with industries that don’t get an exemption.
The House draft language is still subject to “clarifying, tweaking and technical changes,” the source close to Luetkemeyer said. “There is no clear timeline but he is committed to moving a product. That could be a week or a month, but he’s looking for an opening.”
It’s also unclear whether Latta and Energy and Commerce Chairman Greg Walden, R-Ore., intend to produce their own bill, but the source close to Luetkemeyer said discussions between the two panels’ leaders are “absolutely ongoing.” This source suggested Luetkemeyer’s bill, once passed by Financial Services, would go to the Energy and Commerce and other committees for review and modifications.
“The big issues are still out there,” the source said, “but I think it’s fair to say that differences [between committees as well as some of those between industries] have been narrowed.”
The source said, “The committees are certainly talking and the desire is to collaborate.”
“Who has responsibility for notification and security has been the central issue for decades, and the biggest issues are still between the financial and retail sectors,” the source said. But the source added that the Luetkemeyer draft “is the most consumer-forward legislation we’ve seen on this,” while saying the language on third-party responsibilities “is more aggressive than most state standards.”
This source pointed to dynamics that could still propel action this year, including an initiative on the California ballot in November “that would impose drastically stronger reporting requirements” based on the EU’s new General Data Protection Regulation.
Likewise, the breach-notice rules in the GDPR should motivate U.S. policymakers to set a standard designed for this country, the source said. And, the source added, the November elections could produce a Democratic congressional majority that might not be as business-friendly as Luetkemeyer is on the issue.
But the industry attorney — whose clients do not favor the Luetkemeyer draft’s language — said “the reality is it’s not going to get done this year, so dive in as deeply as possible and really think through the issues and get everyone to put their cards on the table.
“There is a need for a process like Energy and Commerce is having,” this source said. “This is a good discussion and a good starting point.”
There are only six legislative weeks to go before the August recess, and lawmakers are expected to be in session for only a few weeks this fall prior to the elections. The Senate has largely scrapped its August break but the fate of data-breach legislation rests with the House, as senators hang back to see if that chamber can produce a widely acceptable bill.
