Republican staffers have signaled the questions their members are pondering for a Jan. 27 hearing on cybersecurity in the House Energy & Commerce Committee, including what constitutes "overnotification" about breaches.
President Obama has made cybersecurity one of three key communications issues for his last two years —online privacy and broadband deployment are the other two— but it is also on the new Congress' to-do list.
Citing a laundry list of attacks in the past year that included the Sony had and Cox Communications, the Majority staff memo pointed to a "patchwork" of 47 state laws dealing with breach notification and another dozen on data security. "This patchwork of state laws creates confusion for consumers looking for consistency and predictability in breach notices as well as compliance issues for businesses in the midst of securing their systems after a breach," the memo said.
The questions being teed up on the Republican side include:
- "What are important components of a trigger for notifying consumers after a breach?
- "When should companies notify consumers after a breach? What factors go into that decision?
- "Does including a data security requirement in this bill add value for consumers and businesses navigating the current patchwork of state laws?
- "What types of information lead to identity theft? Financial fraud?
- "What elements of a breach notification bill are most critical to reduce the complexity associated with the existing 47 different State laws?
- "What can be done to protect against customer overnotification?"