Data breaches small and large are a fact of digital life. But what are an organization’s responsibilities for notifying users when a breach occurs? Ravi Pendse, Brown’s chief information officer, testified about that question in Washington.

PROVIDENCE, R.I. [Brown University] — Brown University CIO Ravi Pendse told a senate subcommittee today he supports the passage of national guidelines for notifying people when private data is breached in cyberspace.

“Breach notification is a national issue, so I would encourage you to consider a single, national legislation,” Pendse told the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security. Such legislation “should clearly define the rules and actions that are required in case of a breach. It should identify the method, speed, delivery, and content of notification.”

Without national guidelines, states have taken it upon themselves to pass their own breach notification laws. Currently, 47 states have such laws. That presents a challenge for institutions like Brown, which welcomes students from all 50 states.

“While there are similarities between these state laws, no two are exactly alike,” Pendse said. “Maintaining the necessary standards for each state is ... very difficult. This can create a barrier for small, innovative organizations lacking the expertise to address the specifics of state laws. This type of burden stifles innovation in my view.”

Pendse also stressed the need for measures that might prevent data breaches before they happen.

“Most importantly, [legislation] should provide incentives to establish education to better combat breaches,” he said. “It is important for us to develop cybersecurity expertise within the United States. Our national security cannot be off-shored.”

Today’s hearing, convened by Sen. Jerry Moran (R-Kan.), was the first meeting of the subcommittee in the 114th Congress. Pendse’s complete written testimony and a video of the session can be found on the Commerce Committee’s website.