House Members Weigh Value of EU’s Quick Breach Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The U.S. should consider adopting a federal standard for immediate data breach notification similar to the European Union’s forthcoming 72-hour notice rule, lawmakers from both parties suggested Feb. 14.

The EU General Data Protection Regulation (GDPR) will introduce the first broad, breach notification mandate for the 28-country bloc when it takes effect May 25. It will require companies to notify affected individuals within 72 hours of discovering a data breach.

The massive breach of 145 million individuals’ data by consumer credit reporting company Equifax Inc. generated renewed interest in Congress in passing a data breach notification law. Equifax took more than 45 days to report the breach.

Rep. Blaine Luetkemeyer (R-Mo.), chairman of the Financial Institutions and Consumer Credit Subcommittee, said that he doesn’t know how companies gain back the trust of U.S. consumers “unless you go to an immediate notification. This is what I think we need to go to.”

He cited the upcoming EU rule as an example of a quick notification standard during a hearing on data breach regulations, questioning witnesses about the value of that deadline.

“Europe is looking at a 72-hour window,” he said. “Do you all agree that immediate notification is necessary, or some other standard?”

The U.S. needs notification that is almost immediate, and at least as soon as practicable, Marc Rotenberg, president of the advocacy group the Electronic Privacy Information Center, said.

I think “the 72 hours that the Europeans chose is probably a good target,” Rotenberg said.

Companies have favored a much longer period before notifying—30 to 60 days, typically—and moving to a shorter deadline could mean a greater compliance burden and higher costs.

“The 30 to 60 days that companies have favored is just too long,” Rep. Carolyn Maloney (D-N.Y.) said. The U.S. should move to a 72-hour standard since many companies will already need to comply with the GDPR, she said.

U.S. companies that control the collection of or process personal data of EU citizens must follow the GDPR’s rules when it takes effect.

Lacy Clay (D-Mo.), the subcommittee’s ranking member, said Congress should look at the GDPR’s positive aspects when considering any data breach notification legislation.

With breach notification laws existing in all states, except South Dakota and Alabama, privacy advocates have called for a single national law to preempt the various state standards. Breach notice bills, however, have been introduced in every Congress since 2003 without success.

Most recently, Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.), and Tammy Baldwin (D-Wisc.) introduced a bill requiring organizations to notify affected individuals and the Federal Trade Commission within 30 days of discovering a breach.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security