After years of identity theft holding the top spot for crimes reported to the Federal Trade Commission, and following recent reports of massive data breaches, U.S. Attorney General Eric Holder urged Congress today to enact a national law setting a uniform standard for notifying individuals regarding breaches involving their personal information, according to a report by Reuters. Earlier this month, Federal Trade Commission Chairwoman Edith Ramirez made a similar request to Congress.
For years Congress has tried to enact a national breach notification law. Some recent examples include H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer) and S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown). Other members of Congress, such as Sens. Feinstein and Leahy, have made similar proposals. However, the usual Congressional wrangling over issues such as what agency will control enforcement and whether there should be a risk of harm trigger as exists in many states, have stalled these legislative efforts. At the same time, states fear that their stringent protections may wind up being preempted by a new federal mandate.
Attorney General Holder is reported to have observed that data breaches “are becoming all too common.” Some would say they are already too common. But, it remains to be seen whether Congress will act. For now, companies should be taking steps to avoid data breaches, but also be prepared to respond quickly should a breach happen – which may mean understanding the nuances of the applicable state laws.