Top lawmakers on a Senate investigations subcommittee are calling for new data security and breach notification legislation, after several high-profile data scandals.

Sen. Rob Portman (R-Ohio), chairman of the Senate Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, said he wanted to work with other lawmakers on legislation that “ensures both the protection of consumer data and prompt notification when data is compromised,” during a subcommittee hearing on data breaches.

The CEOs of Equifax Inc. and Marriott International Inc. both testified before the subcommittee. Equifax suffered a hack in 2017 that exposed the sensitive information of more than 145 million people. Marriott disclosed a breach of its Starwood guest reservation system in November 2018 that may have affected about 383 million records.

“Here in Congress, I think it’s long past time for us to come to agreement on a federal data security law that lays out for private industry what we expect from them, both in data protection and data breach notification,” Sen. Tom Carper (D-Del.) said.

Equifax CEO Mark Begor told lawmakers that the company is “investing unprecedented amounts in technology and security, as well as enhancing our processes to make it easier for consumers to manage their credit reports.”

Arne Sorenson, Marriott’s president and CEO, said that after learning of the Starwood incident, the company “accelerated retirement of Starwood’s reservation system, and as of December 18, 2018 are no longer using the Starwood guest reservation database to conduct business or operations.”

All 50 states and the District of Columbia have enacted breach notice legislation, with varying standards for when companies must notify consumers and law enforcement after discovering a hack.

Begor said that there are challenges in complying with the differing state requirements and that the company supports “unified federal legislation.” Sorenson also said it would be “simpler” to have one U.S. standard, but that the varying state standards were not among the biggest challenges the company faced when dealing with the data breach.

FTC Powers

House and Senate lawmakers are also weighing federal privacy legislation that would govern how companies handle consumers’ personal information. Democrats and Republicans are debating whether to give the Federal Trade Commission enhanced powers to police corporate data security and privacy practices.

Any data security legislation should give the FTC the authorities to impose civil penalties for data security violations and issue implementing rules, Andrew Smith, director of the agency’s consumer protection bureau, told the subcommittee.

Giving the FTC—or whichever agency Congress chooses to have oversight of the issue—these additional tools are necessary to get the job done, Alicia Puente Cackley, director of financial markets and community investment at the U.S. Government Accountability Office, Congress’ investigatory arm, said.