Advertisement

Rep. Connolly: National data breach notification law could be coming

Gerry Connolly said he hopes for a national standard to evolve among the private sector, but massive breaches like that at credit monitoring firm Equifax may force Congress’s hand.
Rep. Gerry Connolly speaks Oct. 26 at Dell Technologies' Digital Transformation Summit presented by FedScoop. (CyberScoop)

A cybersecurity-focused lawmaker says Congress may have to consider national data-breach notification legislation if companies don’t do a better job of alerting people when they’ve suffered a breach.

Rep. Gerry Connolly, D-Va., said he hopes for a national standard to evolve among the private sector, but massive breaches like that at credit monitoring firm Equifax may force Congress’s hand.

Congress doesn’t “want to upset the technology community with obtrusive regulation,” but the private sector has been poor in instilling confidence that it will act in the public’s best interest, he said.

“I think its headed that way absent some fresh look by industry, a benchmark standard that everybody’s accepted voluntarily to meet, so that federal regulation is unnecessary,” Connolly told CyberScoop Thursday during Dell Technologies’ Digital Transformation Summit. ”I think Equifax is a great test of whether industry is capable of meeting that test.”

Advertisement

Equifax has come under great scrutiny for the way it handled a breach that affected 145.5 million people. The firm discovered the breach July 29, six weeks before revealing it to the public.

Currently, companies are held to a patchwork of state-level breach notification laws that differ depending on the location. Equifax, headquartered in Atlanta, was bound to Georgia law.

The state’s law stipulates that data breach notifications “shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”

There has been movement before on a national data breach notification law. In 2015, the Obama administration pushed the Personal Data Notification & Protection Act, but it did not advance in Congress.

Connolly said another reason Congress hasn’t been able to agree to a breach notification standard is a lack of understanding on cybersecurity as a whole.

Advertisement

“I have always been depressed with how slow Congress has been to react to cyberthreats, both in the federal government and the private sector,” Connolly said.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts