Here we go again. Every year it seems there’s at least one federal bill to create a national data breach notification standard. This year, there’s at least five in the mix.
The renewed push by lawmakers isn’t surprising given the raft of high-profile security breaches this year involving Sony,
Movement towards a federal breach notification law started fairly soon after California enacted its groundbreaking security breach disclosure law, known as SB1386, in 2002. Since then, 46 states have passed some form of breach notification requirement, creating a maze of laws that companies must navigate in the event of a breach. A national law would supersede the patchwork of state laws.
This fall, the Senate Judiciary Committee approved three bills that would create a national data breach notification standard. The Data Breach Notification Act introduced by Sen. Dianne Feinstein (D-CA) – who has made several previous attempts to create a national notification standard – would require organizations to notify individuals of a breach involving unencrypted personal data; companies would be exempted from the requirement if they can prove to the Federal Trade Commission there is no significant risk of harm to those affected by the breach.
In addition to creating a national standard for breach notification, the Personal Data Privacy and Security Act of 2011 incorporates several cybersecurity proposals from the Obama administration. It would require businesses to implement data privacy and security programs to protect consumers’ personal information, and also would impose criminal penalties for intentionally concealing a data breach. The Personal Data Protection and Breach Accountability Act proposes strict notification requirements and would require companies collecting information on 10,000 or more individuals to implement security and privacy programs.
In November, the Senate Commerce Committee continued to debate the Data Security and Breach Notification Act, which would impose security requirements for companies retaining sensitive consumer data. Meanwhile, the House Energy and Commerce Committee argued over a breach notification bill proposed by Rep. Mary Bono Mack (R-Calif.).
Experts monitoring these legislative developments have mixed expectations. Francesca Wolf, legal counsel and compliance officer at the information security, forensics and data breach practice of Kroll, thinks a breach notification law is one of the few bipartisan issues that could get through Congress. By clearing out the patchwork of state laws, a national breach notification would be business friendly, which appeals to Republicans, while Democrats support the consumer protection element, she says.
It’s been difficult for businesses to keep track of the growing number of state breach laws, Wolf says: “Especially since it’s not something that comes up until you have a breach, then all of the sudden you’re having to assess your legal obligations in all the states if you have a nationwide breach.”
But David Navetta, founding partner of the Information Law Group, is more skeptical. No breach notification proposal has been able to appease both sides – business advocates and consumer protection proponents, he says. Businesses often aren’t too happy with the credit monitoring requirements and fines for violations included in many bills, while consumer advocates don’t like risk of harm exemptions.
“There’s a wide gulf between those competing interests,” Navetta says. “I’m not sure it’s bridgeable on any level.”
In the wake of so many breaches this year, lawmakers need to find a way to overcome the odds and get a bill to the president. Clearly businesses need some relief from the maze of state breach laws. At the same time, we consumers need to know promptly if a breach involves our personal data. Let’s hope lawmakers can finally strike the right balance and get a law passed that streamlines the notification process for businesses while also providing the protection consumers need.
Marcia Savage is editor of Information Security. Send comments on this column to email@example.com
This was first published in November 2011