The U.S. Congress should pass a law requiring businesses that have lost customer information in cyberattacks to notify those affected, U.S. Attorney General Eric Holder said Monday.
In light of recent data breaches, including at Target and Neiman Marcus, a data-breach notification law would help the U.S. Department of Justice combat crime, protect privacy and prevent identity theft, Holder said in a video message.
"As we’ve seen—especially in recent years—these crimes are becoming all too common,” Holder said. “And although Justice Department officials are working closely with the FBI and prosecutors across the country to bring cybercriminals to justice, it’s time for leaders in Washington to provide the tools we need to do even more: by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches.”
President Barack Obama’s administration has long supported a national data-breach law, and some members of Congress have been calling for notification rules for nearly a decade, but lawmakers have been unable to pass a law. More than 45 U.S. states have data-breach notification laws.
A national standard for notifying affected data-breach victims is needed, Holder said. “This would empower the American people to protect themselves if they are at risk of identity theft,” he added. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe.”
A data-breach notification law should include “reasonable” exemptions for breaches where private data wasn’t compromised, he said.