Another Congress, Another Hearing on Data Breach Legislation
On the same day that hacktivist group Anonymous reportedly hacked Congress, leaking the login information of over 2,000 staff members, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing on federal data breach notification legislation. But the leaked addresses and passwords were largely expired, and the July 18th hearing offered no indication that Congress is any closer to federal data breach legislation than it has been in previous years.
Data breach notification has been a perennial topic for Congress, and CDT has testified at previous hearings on the subject. Whereas previous hearings and Congresses have debated specific bills, the recent hearing was more general and featured active debate around fundamental questions. The panel, composed of four industry representatives and two professors, deliberated on basic topics such as whether the standard for breach notification should be suspicion or actual evidence, whether federal legislation should be preemptive, and, most notably, whether data breaches should be addressed in isolation or as part of a larger data security package.
On the latter question, CDT has long said that in order for data breach legislation to actually represent a step forward, it must address more than just notification. State laws have already made it the law of the land to notify consumers about data breaches. What else could be done to support actual improvements in the current status quo? Well, one helpful thing legislators could do would be to put to rest the unnecessary debate over the FTC’s role in data breach enforcement, by designating the FTC with clear authority to treat substandard security measures as unfair practices under the FTC Act. (To be clear, we think that the FTC already has statutory authority here, but there is ongoing litigation on the issue.) More broadly, Congress should seek to encourage data collection and retention practices that reduce the risk of breaches occurring in the first place. As Representative Waxman (D-CA) stated at the hearing, “after-the-fact breach notification is only half of what is needed.”
If there is one thing that the continued focus on data breaches highlights, it is that data collection and surveillance practices matter. A particular company or government agency may claim only the best of intentions regarding the use of the data they gather and store – but the ongoing parade of data breaches reminds us that once data is collected and saved, things can happen that create risks of future misuse. CDT is hopeful that Congress will continue to give attention to important questions focused on who collects and holds your data, in how many places, and with what security measures.