Tweet Cybersecurity

The Time is Now for Breach Legislation

Data breaches are all over the news these days — Epsilon, Sony, Citi and Lockheed Martin, to name a few of the corporations, along with a number of government agencies and organizations.

One group, the Privacy Rights Clearinghouse, has recorded more than 2,500 breaches since 2005, involving more than 530 million individual records. In many cases, these records include data that are useful to identity thieves, such as Social Security, credit card, and driver’s license numbers.

Surveys find these breaches are causing people to question the security of online transactions. That is especially troubling because we are in the middle of an exciting new wave of innovation with the emergence of cloud computing, which offers tremendous new opportunities for economic growth by promoting greater efficiency and cost savings. We cannot allow breaches to erode confidence in the online world at this important moment for the Internet economy.

For years, BSA and its members have fought to protect data against cybercriminals by investing to reduce vulnerabilities and protect the integrity of the technologies they provide; by developing cutting-edge security solutions for businesses and consumers; and by leading the fight against software piracy — not only because it drains revenues from American companies, but also because illegal software commonly includes malicious computer code that hackers and other criminals use to steal data.

Importantly, BSA members are also at the forefront of the cloud computing revolution — which creates new opportunities to store data behind strong security walls.

But there is an urgent need for Congress to act, too. Those who are responsible for holding data should have a duty to take appropriate security measures, consistent with the sensitivity of the data entrusted to them. And when there is a breach that poses a significant risk of harm, customers and consumers should be notified promptly.

In the absence of a national law, all but a handful of states have already enacted their own data breach notification requirements. Unfortunately, this has created a legal patchwork that is unwieldy for businesses and potentially confusing to consumers. We need a uniform, national framework that protects consumers and preempts this patchwork of state laws.

I testified today before the House Energy and Commerce Committee in a hearing to discuss draft legislation being introduced by Rep. Mary Bono Mack (R-Calif.), Chairman of the Subcommittee on Commerce, Manufacturing, and Trade. I endorsed the bill’s key provisions. In particular:

  • BSA supports requiring organizations that hold sensitive personal information to implement reasonable security procedures. The draft bill takes into account an organization’s size, the scope of its activities, and the costs involved.
  • We support creating incentives to adopt strong security measures. The draft bill will promote the use of technologies such as encryption, which render data unusable, unreadable or indecipherable to thieves if they manage to steal it.
  • We support an approach that avoids unnecessarily alarming or confusing consumers. And the draft bill accomplishes that by only requiring notification when there is a risk of identity theft, fraud or unlawful activity.
  • Finally, BSA supports the bill’s establishment of a uniform, national framework with federal enforcement — preempting today’s patchwork of state laws.

I testified two years ago, too, about the need for a national data breach law. Since then, at least 250 million sensitive records have been breached, according to the Privacy Rights Clearinghouse.

This is now the fourth Congress to consider data breach legislation. I urge Members to pass a federal data breach law this year. The time to act is now. The need is clear, as are the solutions.

Robert Holleyman


As President and CEO of BSA | The Software Alliance from 1990 until April 2013, Robert Holleyman long served as the chief advocate for the global software industry. Before leaving BSA to start his own venture, Cloud4Growth, Holleyman led the most successful anti-piracy program in the history of any industry, driving down software piracy rates in markets around the world.

Named one of the 50 most influential people in the intellectual property world, he was instrumental in putting into place the global policy framework that today protects software under copyright law. A widely respected champion for open markets, Holleyman also was appointed by President Barack Obama to serve on the President’s Advisory Committee for Trade Policy and Negotiations, the principal advisory committee for the US government on trade matters.

Holleyman was a leader in industry efforts to establish the legal framework necessary for cloud-computing technologies to flourish. He was an early proponent for policies that promote deployment of security technologies to build public trust and confidence in cyberspace. And he created a highly regarded series of forums for industry executives and policymakers to exchange points of view and forge agreements on the best ways to spur technology advances and promote economic growth.

Before heading BSA, Holleyman was a counselor and legislative adviser in the United States Senate, an attorney in private practice, and a judicial clerk in US District Court. He holds a bachelor’s degree from Trinity University in San Antonio, Texas, a J.D. from Louisiana State University, and has completed the Stanford Executive Program at the Stanford Graduate School of Business.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × 2 =