Senate leaders are attempting to close the gap on disagreements preventing Congress from passing a bill that would create a federal data security standard for companies in the United States. Congress has been formulating and attempting to pass such a measure for nearly 10 years, but its passage has generally failed due to differences over the scope of the law.
According to Cort Bush, a senior professional staff member on the Senate Commerce, Science and Transportation Committee, Congress raises the issue of a national data security standard every time there is a “high-profile breach.” When speaking recently at the International Association of Privacy Professionals’ global privacy summit in Washington, D.C., Bush said that large data breaches not only draw the attention of the Commerce Committee, but also that of the financial services and judiciary committees.
Congress has been working on establishing a national standard for protecting customer data to resolve issues created by the 49 different state breach notification laws. Legislators, however, have long disagreed over many of the details, such as what constitutes reasonable data security, what penalties should be enforced for noncompliance, whether certain companies should be exempted, and to what extent the national standard would preempt state laws.
Most recently, Bush explained, Commerce Committee Chair John Thune (D-SD) has convened interested Senators in attempts to reach a compromise, and so far, is making progress. “I do think our conversations have been productive and that we're close to having an agreement on legislation that we think could have a good chance of advancing,” Bush said. But, he cautioned, it likely will take more than high-profile data breaches to push the legislation to passage.
Still, recent efforts could be successful given updates to state laws, as well as the implementation of the 72-hour breach reporting deadline under the European Union general data protection regulation.