"Most data breaches impact consumers in multiple states, just like the breach that happened here in the House. And electronic data is rarely segmented by state, so under current law, the question becomes, which state law should apply? The state in which the consumer resides? The state in which the breach occurred? Or the state in which the vulnerability existed and was exploited?" Matties said.
Lawmakers considered whether a federal data-breach notification standard should come in a larger bill that would address companies' defensive data-security posture as well as the provisions stipulating how they communicate with their customers in the event of a breach.
That approach would couple the notification provision with the more contentious debate over cybersecurity legislation, which has been simmering within several committees in both chambers for several years.
Several witnesses suggested that a data-breach bill should include an exemption from any notification requirement in cases when the company had encrypted the data so that it would be unusable for the hacker.
Sign up for CIO Asia eNewsletters.