WASHINGTON -- After a spate of large-scale cyberattacks on large retailers, Atty. Gen.
Holder said creating such a law would bolster the Justice Department's ability to combat crimes and hold organizations accountable for failing to protect private information.
The announcement Monday comes just weeks after lawmakers called for tighter notification standards during congressional hearings into recent commercial cyberattacks, including high-profile cases at
During the holiday season, an attack on Target’s systems compromised the security of 40 million payment card numbers as well as the names, addresses and phone numbers of as many as 70 million customers. The Justice Department and Secret Service are investigating the incident.
Not long after the Target attack, executives at upscale retailer Neiman Marcus discovered malware on its system had exposed as many as 1.1 million payment cards.
Holder said a notification standard would benefit consumers and law enforcement.
"This would empower the American people to protect themselves if they are at risk of identity theft," he said in a video statement. "It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe."
Exceptions to the notification standard would be made for harmless security breaches, Holder said.
Forty-six states and the District of Columbia have laws that dictate standards for disclosing a breach. Some state attorneys general and consumer advocates have voiced concerns that a federal law might preempt stricter state laws.
Illinois Atty. Gen.
Consumer advocate Ed Mierzwinski said in an interview that he’s encouraged that Holder is engaged on the issue but cautions against passing a law that is weaker than the strongest state law. Another concern, he said, is that a federal law could prevent states from acting on future data security legislation.
In written testimony Feb. 3, the retail trade group's general counsel, Mallory Duncan, said a federal standard would allow businesses "to focus their resources on remedying the breach and notifying consumers rather than hiring outside legal assistance to help guide them through the myriad and sometimes conflicting set of 50 data breach notification standards in the state and federal jurisdictions."