Standards Sought in Data Breach Notification
“This would empower the American people to protect themselves if they are at risk of identity theft,” Holder said in a statement urging congressional action. “It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe.”
Data thefts at Target and luxury retailer Neiman Marcus Group LLC have rekindled enthusiasm in Congress for a single federal law on how customers should be notified about such breaches. But those efforts face the same roadblock as in the past: dozens of overlapping state laws are already in place.
Federal laws regulate how specific industries, such as banks and hospitals, handle compromised data security, but other kinds of companies, including retailers, face no such uniform standard.
Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach. Negotiations over fitting state standards under an umbrella federal law therefore face a tug of war among companies, consumer advocates and state authorities.
The National Retail Federation in a January letter to Congress restated its decade-old position in favor of a nationwide standard that would pre-empt state rules.
But some state attorneys general worry that federal standards would dilute their power to pursue violators.
Saying that data breaches “are becoming all too common,” Holder said Justice Department officials were working closely with the FBI and prosecutors to combat cyber criminals.
“It’s time for leaders in Washington to provide the tools we need to do even more,” he added, urging Congress “to create a strong, national standard for quickly alerting consumers whose information may be compromised.”