Federal Data Breach Notification Legislative Updates

In the United States, there is no federal law addressing data breach notification obligations that would apply across all sectors. Although legislation has been previously introduced in Congress, none have been enacted into law.

With the start of the new Congressional session, Congress and the Obama Administration are continuing efforts to establish a single data breach notification standard. Already this year, the Obama Administration presented for the consideration of Congress an updated legislative proposal on federal data breach notification standards. Sen. Bill Nelson (D-Fla.) introduced S. 177, the Data Security and Breach Notification Act of 2015, and the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on January 27, 2015, to identify what should be the key elements of federal data breach legislation.

As initiatives regarding federal data breach notification legislation gain momentum, topics of interest on the matter may include the following:

• How will federal legislation interact with the existing laws on data breach notification of 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands?
• What type of data breach would trigger the notification obligation?
• What is the appropriate balance between transparency and the potential for notification fatigue?
• How will potential exemptions from notification obligations be addressed?