A Federal data breach disclosure law, which would require companies to report data breaches to customers within 30 days, will be reintroduced this year, according to Rep. Jim Langevin, D-R.I.
Speaking at the State of the Net conference on Tuesday, Langevin noted that the varying state breach disclosure laws can cause a patchwork of regulations that can confuse companies.
“Right now, unfortunately, there are 50 state laws on the books that govern data breach notification. That’s certainly problematic, on a number of levels,” he noted. “The most important thing is to notify customers quickly and close off those areas where data can be misused for nefarious gain.”
Langevin’s co-panelist, Corey Thomas, president of cybersecurity firm Rapid7, offered his agreement from an industry perspective.
“You actually have a growing consensus that a national framework is not just positive, but it’s necessary,” said Thomas. “What I’m observing is that there are a lot of business groups who tend to be against any type of regulation of increased regulation and oversight, slowly moving to a consensus that there has to be a national framework.”
Langevin noted that this is a longstanding effort from his office, and that he worked with President Obama’s administration to craft the policy. He pointed to the debate over which sectors to exempt from notification requirements, and which committees should handle the legislation as major hold-ups for the effort.
He expanded on his frustration with the structure of congressional oversight of cybersecurity, pointing to his efforts to streamline jurisdiction on cyber.
“I’ve already had a conversation with [House] Speaker [Nancy] Pelosi about the jurisdictional issues. Right now, there are some 80 different committees and subcommittees that claim some jurisdiction over cybersecurity, and hence, it’s the reason why we’ve been slow to see more bills make their way through Congress that would strengthen our cybersecurity posture,” Langevin said.
He pointed to the Committee on the Modernization of Congress as a potential opportunity to establish clear jurisdiction on cybersecurity issues.
“We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct,” he said.
Langevin and Thomas also highlighted the importance of supply chain security. Langevin noted that supply chain security is “one of those things that keeps me up late at night,” and emphasized the importance of securing the supply chain all the way down, from Federal networks to small subcontractors.
“Supply chain security is going to be a very big focus of what my subcommittee continues to highlight and do a deep dive on,” he said.