SIIA calls for security-breach notification standard

11.11.2005
The Software & Information Industry Association (SIIA), a leading industry trade group, is renewing its call for a national security-breach notification standard to replace the slew of state laws that companies are currently required to comply with.

Such a law would require the U.S. Congress to establish a "meaningful threshold for breach notification" to avoid the problem of overnotification, Mark Bohannon, the SIIA's general counsel and senior vice president, said Wednesday in testimony before the House Subcommittee on Financial Institutions and Consumer Credit.

Bohannon was testifying in connection with a bipartisan proposal called the Financial Data Protection Act or H.R. 3997, which is now before the House Financial Services Committee. The proposed bill was introduced last month and is designed to help consumers by requiring companies that handle their personal information to take steps to protect that data and to notify them in the case of a security breach.

In his testimony, Bohannon said that the goals and objectives of the proposed bill are consistent with the SIIA's position on the need for a national disclosure law.

"With more than twenty-one states having already enacted data security and breach notification laws, a national standard is needed to avoid confusion to consumers, businesses and the appropriate enforcement authorities," Bohannon said in a statement posted on the SIAA's Web site Friday.

But further amendments are needed to make the bill more effective for consumers and financial institutions, he said. The proposed bill, for instance, includes "several thresholds" for breach notification that could lead to confusion, consumer frustration and overnotification, he said. Instead what is needed is a notification standard that requires companies to disclose breaches only if there is a reasonable belief that sensitive personal financial information is at significant risk of identity theft, he said.