Some Democrats on the subcommittee criticized the "significant risk" standard in the bill. Concerns about over-notification are "disingenuous," said Representative Jan Schakowsky, an Illinois Democrat.
"The right response to over-notification is not to restrict information and to keep consumers and Congress in the dark," she said during a Nov. 3 hearing. "If we want to stop over-notification, then corporations need to clean up their act so consumers’ personal information is not compromised in the first place."
CDT also has questioned a reporting exception in some of the congressional bills for encrypted data. Groups such as the Information Technology Association of America (ITAA) have called on Congress to encourage the use of encryption by giving a breach notification exemption to companies that use encryption.
The CDT doesn't object to an encryption exception, but there should be limits, said David Sohn, CDT staff counsel. A company with a data breach shouldn't be able to avoid reporting it if they use weak encryption, he said. And in cases when the encryption key is stolen along with the data -- such as data theft by a company insider -- companies should be required to notify consumers, he added.
But the House subcommittee bill approved Nov. 3 defines encryption as technology approved by the U.S. National Institute of Standards and Technology, said Warren Smith, vice president of marketing for GuardianEdge Technologies Inc., a vendor of encryption technology for mobile devices. The NIST standard is 256-bit encryption, Smith said.
"Breaking that key is considered commercially infeasible," Smith said. "We believe encryption is the fundamental technology for data protection."
Even groups supporting a national data bill have questions about the legislation now in Congress. While ITAA, a trade group, supports a national law that preempts state legislation, many of the current bills focus too much on notification and not enough on preventing data breaches, said Bob Cohen, ITAA's senior vice president. ITAA called for Congress to encourage businesses to employ better data protection measures.
"We are concerned that much of the emphasis in this legislation focuses on horses already out of the barn," Cohen said. "We believe that legislation will be most useful when, along with an appropriately designed notification standard, it also creates incentives for business to adopt practices that protect data and obviate the need for notification."