Facebook CEO Mark Zuckerberg testified before Congress last month regarding Cambridge Analytica’s unauthorized use of data of an estimated 87 million Facebook users to profile and target voters during the 2016 U.S. presidential election. During questioning, Senator Amy Klobuchar of Minnesota asked whether Zuckerberg would support a rule requiring Facebook to notify its users of a data breach within 72 hours, and Zuckerberg suggested that he would. Thereafter, on April 23, Senators Klobuchar and John Kennedy of Louisiana introduced the “Social Media Privacy Protection and Consumer Rights Act of 2018” (S. 2728), which would require “covered online platforms,” including public-facing websites, web applications, mobile applications, and email services, to provide notice of a data breach to affected users within 72 hours of learning that personal data about the users was inappropriately transmitted.

Amidst the patchwork of competing state laws and sector-specific federal standards, support has been growing for a preemptive federal standard for notification following a cybersecurity incident involving the exposure of personal information. Currently, notification following a breach is governed by 50 different state laws, as well as sector-specific standards such as the Gramm-Leach-Bliley Act (applicable to the financial services industry) and the Health Insurance Portability and Accountability Act (applicable to personal health care information). These laws vary widely with respect to the requirements they impose on covered entities, including the categories of compromised data and types of compromise that trigger a notice requirement, the time frame within which notice must be provided, and the information that must be included in any notice.