WASHINGTON–A top Justice Department official called for a strong uniform federal standard requiring certain types of businesses to report data breaches in a Judiciary Committee hearing on Tuesday.
“Businesses should be required to provide prompt notice to consumers in the wake of a breach and to notify the federal government of breaches so that law enforcement can pursue and catch the perpetrators,” said Mythili Raman, acting assistant attorney general in the criminal division of the Justice Department, during the hearing titled, “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.”
Read more from this hearing: Target Exec Says EMV Carries $100M Price Tag
Raman referenced a 2011 proposal from the Obama administration on cybersecurity as a model for the path Congress should pursue on the issue.
“Business entities must notify any individual whose sensitive, personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm,” she said.
“Business entities covered under this requirement are those that use, access, transmit, store, dispose of, or collect sensitive, personally identifiable information about more than 10,000 people during any 12-month period,” she added.
Raman, who oversees almost 600 attorneys in her department, said the Obama Administration believes businesses that have demonstrated effective data breach prevention programs should be exempt from having to notify individual customers about a security breach.
This exemption would be contingent upon the conclusion of a “risk assessment” showing there is no reasonable risk that a security breach will harm the individuals whose information was comprised.