A bill is pending to amend the Gramm-Leach-Bliley Act (GLBA) to include a national data breach notification law that would supersede the various state laws that now apply to the financial sector.
This initiative has the support of the American Bankers Association (ABA), which sent a letter to the committee and said “We support reporting this legislation out of Committee so that Congress can take a step forward in enacting comprehensive data breach legislation” that encompasses a flexible, scalable data protection standard and notification regime the equivalent to that of GLBA that are consistently and exclusively enforced and pre-empt “the existing patchwork of often conflicting and contradictory state laws,”
It is important to note that this will help in some states that did not have existing breach notification laws, but it has no impact on states, such as California and New York, that are always early adopters of consumer legislation and have already put data breach notification requirements in place. This bill also focuses on the financial sector, although other sectors may be next, and the NIST Act To Benefit Small Business could be followed by a similar breach notification requirement.
Even more important, notification laws only work once an organization becomes aware of a breach. This is why monitoring and detection of cyber threats is required under compliances and is best practice as outlined in the NIST Cyber Security Framework.