Momentum for federal data breach notification legislation in the U.S. inched forward on Tuesday during a House Energy & Commerce subcommittee hearing on Capitol Hill, but a full consensus on some of the details remains. Several witnesses representing the tech and retailer industries, as well as Acxiom, agreed a federal law is necessary but that it must preempt existing state data breach laws and require a harm-based trigger for notification.

There also appeared to be the beginnings of consensus on both sides of the political aisle, but more details need to be hashed out. Republicans and Democrats voiced a number of times their desire to see bipartisan reform, but at this early stage, there doesn’t appear to be agreement on some of the finer points.

“Limited-scale preemption is okay; it’s not an all-or-nothing game,” said Samford University Cumberland School of Law Associate Prof. Woodrow Hartzog, also a witness at the hearing. He urged lawmakers to consider minimal preemption of state laws, having it be a floor rather than a ceiling. Hartzog noted that state laws are relatively new and that it’s not yet clear which approach to breach notification is most effective.

“Plus,” he said, “legislation must preserve states’ rights to regulate data security,” and it’s “too early to start rolling back protections” already provided by many states.

Retail Industry Leaders Association (RILA) Executive Vice President Brian Dodge voiced support for consumer notification when a breach causes economic harm, noting that federal preemption would help businesses comply with a more streamlined breach standard. Likewise, TechAmerica Executive Vice President Elizabeth Hyman and Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, also supported strong federal preemption and a harm-based trigger.

The patchwork of state regulations places a burden on businesses, Dodge, Hyman and Glasgow all argued. “States are constantly changing and updating their laws,” said Hyman. She said consumers are often not adequately protected because state laws vary so much. The patchwork also places an economic burden on businesses attempting to comply with such a complex network of laws.

Yet Hartzog suggested the differences among the 47 state laws are overstated. “Really, it’s not comparing apples to oranges … it’s more like comparing Fujis to red delicious apples.”

Hartzog also expressed concerns about a harm-based notification trigger.

“The harm trigger is a dubious proposition,” he said, “mainly because the concept of harm within privacy law is so contested.” There are lots of different types of harms beyond traditional economic harms and identity theft—health data, for example, can be used to discriminate, and other data, such as employee data, can be held hostage and leaked online, as was seen in the Sony hack. Additionally, the harm trigger is dubious because it’s difficult to draw a line of causation to prove harm, he explained.

Another concern among some of the panelists was the prospect of over-notification. Glasgow said when consumers get repeated information about security risks, and there’s no clear instruction on what to do, “then they tend to get far more complacent about them and potentially do not read the ones they need to respond to.”

Hartzog countered that notification provides a broad array of consumers, businesses and security researchers with reports that can point to breach trends and threats to help businesses.

The question of who should hold responsibility for notification was not agreed upon either. RILA’s Dodge said he thinks notification should rely solely upon the organization breached. Rep. Gregg Harper (R-MS) wondered whether that would create unnecessary confusion in the marketplace. Dodge, however, argued that placing the onus on the vendor responsible would serve as a natural incentive for companies to appropriately protect data. Perhaps together, the consumer-facing business and the vendor breached could work together to notify consumers, Hartzog suggested.

And when should the clock start? Dodge said it should begin once a breach event has been confirmed and law enforcement has been given adequate time to investigate potential criminal leads. He said organizations also need time to adequately train staff on how to respond to the public, so legislation should be flexible on a timeline.

There was also some agreement on who should enforce the prospective law. TechAmerica’s Hyman said it could be left up to the Federal Trade Commission or state attorneys general as long as one cancelled the other out. Hartzog pointed out that it’s important to have a multitude of different regulators and warned against having one central regulator because each agency has its own expertise; the Federal Communications Commission, for example, has extensive experience regulating telecommunications companies, while the Department of Health and Human Services has experience in healthcare.

Attempting to help reach bipartisan consensus, Rep. Peter Welch (D-VT) asked the panelists if they would favor preemption if there was also a strong data security standard. “I favor non-preemption,” said Welch, “but if we get the right standard, can we have preemption?”