Major data breaches in the healthcare, retail, entertainment, financial services and public sectors have heightened awareness in Congress and the Obama administration, with a growing sense of bi-partisanship that has brought speculation that a national data breach and data security standard could be enacted.

That is the view of risk management and security services firm Experian, which adds a large caveat in a new report: “However, obstacles remain that may make consensus just beyond the grasp of policymakers.”

All states except Alabama, New Mexico and South Dakota now have breach notification laws, as do the District of Columbia and Puerto Rico, report authors note. And two specific federal laws—HIPAA and the Gramm-Leach-Bliley Act—govern breaches of consumer health and financial breaches, making business compliance and consumer understanding of their rights difficult.

Also See: Obama Says Cyber Threat Onslaught Requires Joint Defense

Legislation to set a national breach notification standard has been introduced multiple times in recent sessions of Congress but not enacted, but breaches are a top priority in the current 114thsession, according to Experian.

Legislation recently approved in April in the House Energy and Commerce Committee (H.R. 1770) will face obstacles when the bill is brought to the House floor for consideration because of certain provisions, the firm states.

“In particular, the bill, as drafted, would allow the Federal Trade Commission to move straight to civil monetary penalties for both violations of the security standards section and the data breach notification provisions with no advance guidance from the agency itself,” report authors explain. “The bill was amended at full committee to include a username or email address in combination with a password or security code in the definition of personal information that if breached would trigger notification. The bill will likely also define medical information as personal information by the time it reaches the House floor, as the Chairman of the committee promised Democrats that he would consider including this to gain their support.”

In the Senate, the Commerce, Banking and Judiciary Committees will get a crack at the legislation if it passes the House. While the Obama Administration’s draft data breach bill “is unlikely to move forward, it is likely to play a role in any data breach and security legislation that moves forward in the upper chamber.”  But one of the Administration’s proposals, to foster the sharing of threat information, already is moving through Congress. At least three Senate bills, plus the House bill if passed, could be on the table for consideration during Senate deliberations.

The Experian report, “Government Focus on Cybersecurity Elevates Data Breach Legislation,” also examines state and international policymaking moves, and is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access