Holder said creating such a law would bolster the Justice Department’s ability to combat crimes and hold organizations accountable for failing to protect private information.
The announcement Monday comes just weeks after lawmakers called for tighter notification standards during congressional hearings into recent commercial cyberattacks, including high-profile cases at Target Corp. and Neiman Marcus. Several legislators, including Sens. Patrick Leahy (D-Vt.) and Dianne Feinstein (D-Calif.), have recently introduced bills on the issue.
During the holiday season, an attack on Target’s systems compromised the security of 40 million payment card numbers as well as the names, addresses and phone numbers of as many as 70 million customers. The Justice Department and Secret Service are investigating the incident.
Not long after the Target attack, executives at upscale retailer Neiman Marcus discovered malware on its system had exposed as many as 1.1 million payment cards.
Holder said a notification standard would benefit consumers and law enforcement.
“This would empower the American people to protect themselves if they are at risk of identity theft,” he said in a video statement. “It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe.”
Exceptions to the notification standard would be made for harmless security breaches, Holder said.
Forty-six states and the District of Columbia have laws that dictate standards for disclosing a breach. Some state attorneys general and consumer advocates have voiced concerns that a federal law might preempt stricter state laws.
Illinois Atty. Gen. Lisa Madigan warned of just that in testimony before a House subcommittee. Madigan said her constituents do not want the state’s law preempted but instead are “asking why companies are not doing more to protect their personal and financial information and prevent these breaches from occurring in the first place.”
Consumer advocate Ed Mierzwinski said in an interview that he’s encouraged that Holder is engaged on the issue but cautions against passing a law that is weaker than the strongest state law. Another concern, he said, is that a federal law could prevent states from acting on future data security legislation.
But the National Retail Federation argues that for businesses that currently must comply with a patchwork of laws, one preemptive law would greatly simplify the notification process.
In written testimony Feb. 3, the retail trade group's general counsel, Mallory Duncan, said a federal standard would allow businesses “to focus their resources on remedying the breach and notifying consumers rather than hiring outside legal assistance to help guide them through the myriad and sometimes conflicting set of 50 data breach notification standards in the state and federal jurisdictions.”