2015 may be the year that the U.S. Congress gets serious about national data breach legislation. In late January, the House Commerce, Manufacturing, and Trade Subcommittee opened hearings on the matter, and Subcommittee Chairman Michael Burgess (R-TX) has called the issue a “top priority” for the new Congress.
The hearing opened after President Barack Obama outlined his own legislative proposal as part of the State of the Union (SOTU). The Personal Data Notification & Protection Act would criminalize illicit overseas trading or selling of stolen identity data, and would require breached organizations to notify customers within 30 days of the event.
“The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” Obama told the Federal Trade Commission in mid-January, just days before the SOTU. “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply with this patchwork of laws.”
While past attempts by Congress to address the issue have stumbled and stalled, recent well-publicized and massive data breaches — and consumers’ reaction to them — are placing pressure on legislators to pass legislation. And Congress appears ready to put political differences aside to do just that.
“I do sincerely believe that is an achievable goal,” Rep. Burgess told The Hill. “It’s clear most of us agree on preemption.”
Forty-seven states already have data breach notification laws that dictate who must comply with the law and define “personal information”, what constitutes a breach, notice requirements and exemptions.
At TransFirst®, we consider data breach security to be a serious concern for all parties involved in payment processing, including ourselves and our merchant and service provider clients. From our perspective, a data breach occurs when an unauthorized party accesses a merchant’s network and steals cardholder data, typically through hacking, malware or spyware, employee dishonesty or the loss of cards, paper records or a device.
The first line of defense against data breach is PCI compliance, the strict adherence to the Payment Card Industry Data Security Standard (PCI DSS), which focuses on keeping the storage, transmission and processing of cardholder data secure. We also offer a Data Breach Security Program to help protect our clients, their businesses and customers from the serious fallout a data breach can generate.
We will follow activity on Capitol Hill regarding the proposed national data breach prevention legislation and update our coverage as necessary.