What a National Data Security and Breach Standard Should Do
PDF Print E-mail


By Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America 

It seems as though not a week goes by without news about another significant data breach, spurring concerns about how safe our personal information is when it’s in other hands. While forty-seven states (soon to be 48) already have data breach notification laws, and many also have data security requirements, there are calls in Congress for a national security and breach notice standard. Businesses argue that it’s hard to comply with a patchwork of state data breach laws. This is not a unique situation, however. There are plenty of other laws that states have enacted to protect consumers – on debt collection and telemarketing, for instance. If a company chooses to do business in multiple states, it has to accept the fact that it must comply with those states’ laws (and in some cases with federal laws as well; telemarketing and debt collection are good examples.)   

Federal data security and breach legislation would only be helpful to consumers if it provides them with greater privacy and security protection than they have today. Most of the bills that have been introduced in Congress would actually weaken existing consumer rights under current state and federal laws, and hamper the ability to enforce those rights.

Finally, a bill has emerged that CFA and other consumer and privacy groups can support. On April 30, Senator Patrick Leahy (D-VT) introduced the Consumer Privacy Protection Act of 2015, with Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Ed Markey (D-MA), Elizabeth Warren (D-MA) and Ron Wyden (D-OR) as co-sponsors. It would require companies to implement security measures to reduce the potential for breaches, cover a broad range of sensitive personal data, require consumers to be notified if that data is breached – not just if the company decides that there is a risk of identity theft or financial harm – and provide for strong enforcement by both federal and state agencies, and only “preempt”, or override the provisions of state data security and breach notification laws to the extent that they provide less protection. It also leaves intact the existing authority that federal agencies, such as the Federal Communications Commission, already have (and that some other bills in Congress would remove) to require companies under their jurisdiction to protect consumers’ data and notify them if there is a breach.  

This bill would be good for consumers and others who are affected by data breaches, such as banks and credit unions that often have to deal with the consequences if consumers’ financial account information has been compromised. That’s why CFA has endorsed the bill, as have other consumer and privacy groups. If a national standard for data security and breach notice is created, this is what it should do.

The Consumer Federation of America is a national organization of more than 250 nonprofit consumer groups that was founded in 1968 to advance the consumer interest through research, advocacy, and education.