Devil in the details on data breach legislation
Itâ€™s almost impossible to pick up a newspaper without reading about a new breach of data that impacts individuals or a large corporation. Over the last few years, more and more data breaches have occurred. Target, Home Depot and Sony have dominated the headlines, but there have been hundreds, if not thousands, more data breaches over the same period of time.
The world is changing at a breakneck speed â€” we live in a connected world. We now hold in our hands smartphones that contain more technology than the spaceship that took us to the moon. While this technology offers connections and convenience unimagined a decade ago, these benefits do not come without risk. It is no longer just about protecting our physical self from harm, but we must protect our virtual self as well.
Data breaches can lead to financial theft and identity theft, which can take years to fix. While individuals should do everything possible to protect themselves through education, precautions and awareness, private companies and government also have a critical obligation to do all they can to protect our data, especially in making individuals aware when data breaches occur.
We must be careful on this issue â€” taking the wrong approach can hurt the incredible innovation and opportunities weâ€™ve been afforded. Before the government proposes any legislation, we must have a clearly defined problem to prevent unintended consequences. Clarity helps to determine if there is a real risk. Choosing a standard based on risk prevents regulatory overreach and prevents Congress from having to come back and rewrite standards in a rapidly changing technological landscape. Any solutions proposed by Congress must be both flexible to keep up with new technology and mindful of the law of unintended consequences when government intervenes.
As we work to address this critical problem, we must carefully work with all relevant parties to ensure that any proposals are technology neutral. Regulations should stay away from prescribing specific technologies as opposed to an end product. No one wants to limit the imaginations of our innovators.
Technology continues to develop at a rapid rate. If we donâ€™t allow for flexibility in how our laws address security, we will lose critical opportunities to strengthen security by boxing ourselves in on one specific solution. Every day, new innovations improve our ability to protect consumers, which is why mandating one solution over another is the wrong approach.
In the House Energy and Commerce Committee, we recently held a hearing on data privacy to hear from some of the top industry experts on solutions and timing of notification for consumers in the event of a data breach. The hearing addressed what should be included in data breach legislation and how federal pre-emption could help protect consumerâ€™s data.
President Obama recently gave a speech regarding his plans to protect privacy. We agree with the need for a federal standard for data breach notifications, but the devil is in the details. Any federal solution must adhere to the basic principles of assuming and defining harm, maintaining flexibility to keep up with new technologies and preventing regulatory overreach. Working together, we can protect consumers and encourage new technologies.
Rep. Pete Olson (R) has represented Texasâ€™ 22nd Congressional District since 2009. He sits on the Energy and Commerce Committee.