Newsroom

Hearing witnesses told the Senate Homeland Security Committee yesterday that they support data breach notification but urged against setting a strict timeline for it.

During the hearing, Chairman Johnson, R-Wisc., asked witnesses about how timely notifications of data breaches should be, for which American Express Executive Vice President and Chief Information Officer Marc Gordon suggested a "reasonable man standard" as opposed to a strict timeline.

FireEye Chief Security Strategist Richard Bejtlich also emphasized that breaches must be clearly defined as incidents involving stolen personally identifiable information, not just the infiltration of a computer.

Wednesday's hearing was held to discuss how federal legislation could address problems related to information sharing and notification of consumers about data breaches.

NAFCU Senior Vice President of Government Affairs and General Counsel Carrie Hunt Tuesday wrote committee leaders in advance to reiterate NAFCU's belief that better cybersecurity should be coupled with a national data security standard.

The association has urged for legislation to ensure that consumers be notified of breaches within a reasonable amount of time after they occur. NAFCU also believes a national standard should ensure that:

• breached entities be held accountable for costs resulting from their negligence;
• consumers be made aware of retailers' data security policies;
• account servicers be notified; and
• retailers be held to account for violating prohibitions on data retention.