In a hearing held by a House subcommittee Thursday, trade groups representing technology companies shared their views on a point of keen interest to banks: whether or not Congress should turn the hodgepodge network of existing state laws on data breaches into one, national law.
Forty-six states have their own data breach notification laws. While in principle these laws are similar (sensitive customer data must be encrypted and/or redacted; customers must be notified if their data might have been viewable by an unauthorized party), no two state data breach laws are exactly the same and many conflict with each other. A resident of one state who does business in another can trigger different rules around when and how a business that suffers a data breach must notify customers about it.
Citi recently bumped against these state laws when it discovered that a software program it was using to redact customer data from bankruptcy documents had a vulnerability: a savvy user could use another software program to undo the redaction. The risk was slight - a hacker would have to know the documents exist in a government database, know the version of software used to create them, and own and be an experienced user of the software that could unveil the protected information. But Citi reported and addressed it with breach notifications and free credit monitoring for affected customers.
Arguing for a national data breach law, Dan Liutikas, chief legal officer of technology vendor group CompTIA, started on a personal note. "I was born to immigrant parents from Lithuania," he said. "My father learned how to fix televisions for a national retailer until eventually opening his own television repair shop and then later starting a construction business. My mother waited tables at restaurants and then started her own restaurants, delis and banquet halls. Both lived the American dream by being entrepreneurial and starting their own small businesses. From my own experience I submit that small business owners don't want handouts. They just want a fair shot at pursuing the American dream. ..That means eliminating unnecessary barriers to entry, such as redundant and burdensome regulations."
Liutikas believes a new, national law would reduce the burden of data breach rules. "With the increasingly mobile and decentralized nature of our economy and data storage and dissemination technologies, there is a growing and exceptionally strong case to be made for the creation of a national data breach notification framework that supersedes state data breach laws," he said in his testimony.
Liutikas also recommended that Congress and the FTC not mandate specific technology or methods for data security practices. "The environment for data security is constantly evolving, so any regulation should focus on promoting validated industry standards for security, rather than a single quickly outdated solution," he pointed out.
Kevin Richards, senior vice president of federal government affairs at TechAmerica, another technology company association, also supported the idea of a national law but cautioned that it shouldn't go too far.
"Any federal framework should provide for breach notification when there is, in fact, only a significant risk that identity theft has or is likely to occur," he said. Over-notification of customers could cause customers to become numb and encourage fraud and phishing scams, he said. He also called for a clearer definition of personally identifiable information and, like Liutikas, spoke against mandating specific technologies.