Personal data exposed! How can we fix this mess?
Part of the reason that business is interested in the implementation of a federal consumer data breach notification law is that there is currently a crazy quilt of state legislation -- 38 states and counting -- and compliance is difficult. Here are two perspectives on what “should” be included in a federal data breach notification law. What is your perspective? How would you define these elements at a federal level? Should a federal law be overly inclusive? Should encryption be a “safe harbor”?
From the perspective of businesses, a federal consumer data breach notification law should contain:
- Clear definitions of what is and what is not a “breach”
- Clear standards for providing notification, how that notification is to be provided
- When must notification be provided, e.g., how long after the breach is discovered
- Who must provide notification, the owners of the data or the party responsible for the breach.
- A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.
- Clear Federal preemption of all similar state laws
- Enforcement by the Federal Trade Commission under rules promulgated by the FTC (like Gramm-Leach-Bliley and CAN-SPAM)
- No private right of action
- “Safe harbor” for encrypted data
Consumer and privacy advocates are opposed to federal legislation if, in their view, it weakens existing state protections. From their view, a federal consumer data breach notification law should contain these measures.
- Companies must notify individuals whose personal information is compromised.
- Notification must occur by written means (electronic or by mail) without unreasonable delay.
- Companies must implement notification procedures and review and update if necessary on an annual basis.
- “Companies” include all entities and individuals conducting interstate transactions that request or store personal information.
- Personal information includes the first and last name of an individual with one or more of the following: date of birth, social security number, account number and driver’s license number.
- Notification should be required without regard to whether there is the possibility for harm.
- Following notification to individuals of the breach, companies must take reasonable steps to change the personal information to prevent unauthorized use of it.
- Private right of action and civil penalties for failure to comply.
- No preemption of more stringent/protective state laws.
What would you add? Delete? Share your thoughts by commenting below. Your comments and suggestions will be compiled and published as a new draft of a proposed federal law in an upcoming issue of CSO magazine. Don’t hold back.
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection

