Data Breaches and Notification

The benefits derived from the Internet, such as social networking, e-commerce and business applications would not be possible without data security and assurance. Such precautions promote a level playing field for all IT businesses, large and small, to compete for the development of new and innovative products and services. Elimination of the patchwork of state data breach laws will eliminate a barrier to entry for SMB tech firms in the area of cybersecurity and data protection.

Policy Goal: A national and uniform approach to data breach and notification laws will reduce costs for companies. Such an approach would help reduce, if not eliminate, barriers to entry for firms focused on providing cybersecurity products and services, while also reducing unnecessary costs for the entire industry.

Most of the proposed federal legislation addressing this issue does not meet the objective of a clear national approach and potentially could open the door to new state data breach laws in the area of private rights of action or create uncertainty as to what areas are covered under this proposed law. However, S.3742, the Data Security and Breach Notification Act of 2010, presents a better approach with a catch-all phrase that states this bill “preempts state information security laws.” We work with the relevant staff to address our policy concerns.