One breach standard is better than 50 state regimes: Treasury official

WASHINGTON — A senior Treasury Department official on Tuesday reinforced the Trump administration’s position that there should be a single federal data breach standard.

The comments by Treasury's general counsel, Brent McIntosh, echoed a recommendation made by the department in a fintech policy report issued July. State regulators and consumer groups fear that a national data breach standard could weaken standards already put in place in certain states, but McIntosh said that the current state-by-state regime is ineffective.

Speaking at a U.S. Chamber of Commerce event, McIntosh said the state-by-state approach produces "slightly fewer than 50 ... different breach mechanisms."

“If you have all data for people in every state, you have 50 different sets of obligations upon a breach," he said. "That’s not an effective way of dealing with breaches and it is certainly the sort of regulatory fragmentation we would want to combat.”

Some lawmakers have pushed for federal standards in the wake of incidents such as Equifax’s massive data breach last year. Proponents of those measures say they would address gaps in notification practices revealed in recent breaches and make the compliance standards more consistent.

A bill that passed the House Financial Services Committee in September, led by Rep. Blaine Luetkemeyer, R-Mo., would have codified a Federal Data Breach notification standard, but it has yet to be considered on the House floor or in the Senate.

Rep. Maxine Waters, D-Calif., the committee’s ranking member who is expected to chair the panel in the next Congress, opposed the legislation and attempted to eliminate a provision in the bill under which a federal breach standard would pre-empt state measures. That amendment failed during a committee markup.