The Hill: The time is now for Congress to act on a national data breach notification law
The aftermath of the Equifax data breach, that reportedly exposed 143 million Americans’ personally identifiable information (PII), may have serious congressional implications on how the private sector responds to future incidents. Unfortunately, I say May because this is not the first data breach involving millions of Americans where Congress was unable to act.
As Executive Director of the National Technology Security Coalition (NTSC), the preeminent advocacy association for the Chief Information Security Officer (CISO), I represent the technology executives responsible for securing a wide range of private sector companies. The CISO is at the frontline protecting customer data from countless threats and countless adversaries.
In this dynamic cybersecurity environment, it is incumbent on the CISO to first develop and implement an information security strategy to defend against known threats from known adversaries. Secondly, they must devise a comprehensive security approach to anticipate new threats from a seemingly endless list of state and non-state actors.
In addition to securing consumer data from continual cyberattacks, CISOs are also responsible for the regulatory compliance that accompanies the business. Unfortunately, the regulations from the federal government, along with the regulatory patchwork instituted by all 50 states, the District of Columbia, and the U.S. Territories, does little to protect consumers. The current regulatory requirements throughout the country represent financial investments in administrative costs unrelated to cybersecurity. Instead of focusing on the latest technologies to safeguard against a cyberattack, the emphasis is misplaced on trying to meet the standards set forth in the regulation. Simply stated, CISOs are more often forced to focus on regulatory compliance and not necessarily cybersecurity.
To understand the confusing and often conflicting standards that exist today, I encourage Congress to review existing data breach notification laws. Currently, 48 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have separate laws governing data breach notification. If we share the same goal of protecting consumers, Congress needs to enact a federal data breach notification standard to preempt the hodge-podge of state laws from around the country.
It’s important to note CISOs are not opposed to legal and regulatory oversight. In fact, comprehensive oversight is welcome when the emphasis is properly placed on consumer protection and notification.
For over a decade, a bipartisan, bicameral group of members of Congress have advocated for a national data breach notification law. However, the lack of consensus among the various stakeholders impeded Congress’ ability to enact any of the previously introduced bills.
Now with the Equifax breach taking mainstage, a group of legislators have renewed their call for action. We applaud Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) along with House Majority Leader Kevin McCarthy (R-Calif.) and Reps. Michael McCaul (R-Texas), Maxine Waters (D-Calif.), Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.) for their recent public statements in support of national data breach notification legislation.
Over the next several weeks and months, I anticipate several bills will be introduced in the Senate and House to establish a national data breach notification standard. While Congress debates the merits of the various proposals, I would like to offer our expertise. As an objective third party with no specific industry affiliation, NTSC can bring together CISOs from various industries and support Congress’ efforts to bring a national data breach notification law into fruition to the benefit of consumers across the nation.