Congress held its first hearing on President Obama’s proposal for a national breach notification standard on January 27. Testimony primarily from retail and technology trade associations supported much of the plan, but support was lacking for the provision to notify individuals within 30 days of discovering a breach.

In testimony before the House Energy & Commerce subcommittee on commerce, manufacturing and trade, The Computing Technology Industry Association (CompTIA) and the Retail Industry Leaders Association (RILA) both bemoaned the 51 state and territorial breach notification rules in effect and strongly supported a national notification standard.

“Strong preemption is necessary to ensure that a federal law is not the fifty-second data breach law with which retailers must comply,” said Brian Dodge, executive vice president at RILA. “Similarly, a federal law should not include regulatory authority to allow the Federal Trade Commission to change notification rules, which will undercut the goal of creating a single and predictable national breach notification standard.”

President Obama’s proposal offers three exceptions to a 30-day notification requirement: to accommodate law enforcement or national security purposes, or businesses may seek additional time from the FTC.

Neither association specifically mentioned the 30-day notification period, which is half the 60 days currently granted for healthcare entities under the HIPAA law. Rather, they suggested broader periods in which to start the notification process.

“When a breach is discovered, one of the first things a company must do is to conduct a risk assessment to determine the type of data that has been accessed and the risk that potential fraudulent use of the data could entail,” testified Elizabeth Hyman, an executive vice president of public advocacy at CompTIA. “This risk assessment is a vital component to a company’s data breach response, and, depending upon the seriousness of the breach, may take some time to complete. We therefore ask that a federal standard ‘starts the clock’ on a notification requirement only after the risk assessment has been completed.”

Retailers appear to want an open timetable for notification. “The timeframe should be triggered by the confirmation of a breach and bound by the time it takes to investigate and verify facts, as fact-based notification provides customers with proper information through which to determine what action to take,” Dodge of RILA testified.

Notification, Dodge added, should be provided upon reasonable belief that a breach has or will result in identity theft, economic loss or harm. Both associations warned against notifying customers of every type of breach as they will become less likely to pay attention to the notices.

Full testimonies from the hearing are available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access