On February 5, Illinois Attorney General Lisa Madigan testified before the U.S. Senate, calling on Congress to enact a strong, meaningful federal data breach notification law, while at the same time lobbying Congress to avoid preempting states from enforcing their own data protection laws.

Before the Senate’s Subcommittee on Commerce, Science and Transportation in a hearing titled “Getting it Right on Data Breach and Notification Legislation in the 114th Congress,” Madigan urged members of the subcommittee to authorize a federal agency to investigate large, sophisticated data breaches, akin to the National Transportation Safety Board’s role in aviation accidents.  According to Madigan, a single federal entity authorized to investigate data breaches would provide expertise in data security for the country to better protect American consumers.

Madigan testified that the federal law not only should be crafted to cover the disclosure of Social Security numbers and other personal information contained in the first wave of state breach laws that began to pop up a decade ago, but also needs to include information such as biometric data and login credentials that are being inserted into the second draft of state laws.

“I think everyone agrees that if you set a national standard, it cannot be a weak one.  It has to be a higher one than some of the first-generation state notification laws,” the regulator said, adding that the Federal Trade Commission should be given the authority to update the definition of covered personal information in response to new threats.

Equally as important as Congress considers a federal data breach notification law, Madigan said, is the ability for state regulators to continue investigating data breaches at the state level.  She called for federal legislation to avoid preempting the states’ ability to respond and act when data breaches affect residents in their states.

“As a state regulator, I oppose federal legislation that limits our ability at the state level to respond and guard our residents,” she said.  “A weak national law that restricts what most laws have long provided will not meet Americans’ increasing expectations that they be told when their information is stolen.”

You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.