The push for a national law received a boost in January, when President Barack Obama voiced support for legislation.
While several lawmakers called on Congress to move forward with a bill, just one of seven witnesses at Wednesday's hearing voiced support for the draft bill as written. The draft bill goes beyond breach notification by including "substantive" data security requirements,
said Jon Leibowitz, co-chairman of the 21st Century Privacy Coalition, an advocacy group supported by large telecom and cable firms.
By replacing the "ever-changing patchwork" of state laws, the bill would give consumers certainty that they're protected in data breaches, added Leibowitz, a former FTC chairman. "Consumers in every part of the country are entitled to the same robust protections, and companies are entitled to a logical and coherent compliance regime," he said.
Leibowitz also praised the bill for putting enforcement in the hands of the FTC. "This bill is better for consumers than current law," he added.
The bill allows the FTC to levy fines of up to US $2.5 million for each violation of its data security rules and $2.5 million for failing to provide notice to consumers. "These amounts appear punitive, and do not seem to reflect that an organization that suffered a data breach, in most cases, is a victim itself of criminal hackers," Weinman said.
Sign up for CIO Asia eNewsletters.