A national data breach law is unlikely, said members of a panel at the RSA Conference Tuesday.
There was a real opportunity three years ago to have such a law, but the drive has pretty much died, said Mike Zaneis, vice president of public policy, Interactive Advertising Bureau. “We sort of missed the bus,” he said, adding that such legislation is mired in a number of issues. Large and mid-size companies generally assume they need to notify customers of a data breach, he added.
Jim Dempsey, vice president of public policy at the Center for Democracy and Technology, said it’s highly unlikely a national breach law will be passed. About 39 states have enacted breach notification laws and companies generally have applied them nationally, he said. The only entities left out of coverage are state agencies and universities in a few states that don’t have breach notification laws, Dempsey said.
“At this point, there’s no support for a federal law,” he said.
Companies are worried that a federal law would end up more stringent than the state laws while privacy advocates are worried it wouldn’t be stringent enough, he added.