Personal data exposed! How can we fix this mess?

Part of the reason that business is interested in the implementation of a federal consumer data breach notification law is that there is currently a crazy quilt of state legislation -- 38 states and counting -- and compliance is difficult. Here are two perspectives on what “should” be included in a federal data breach notification law. What is your perspective? How would you define these elements at a federal level? Should a federal law be overly inclusive? Should encryption be a “safe harbor”?

From the perspective of businesses, a federal consumer data breach notification law should contain:

• Clear definitions of what is and what is not a “breach”


• Clear standards for providing notification, how that notification is to be provided


• When must notification be provided, e.g., how long after the breach is discovered


• Who must provide notification, the owners of the data or the party responsible for the breach.


• A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.


• Clear Federal preemption of all similar state laws


• Enforcement by the Federal Trade Commission under rules promulgated by the FTC (like Gramm-Leach-Bliley and CAN-SPAM)


• No private right of action


• “Safe harbor” for encrypted data

Consumer and privacy advocates are opposed to federal legislation if, in their view, it weakens existing state protections. From their view, a federal consumer data breach notification law should contain these measures.

• Companies must notify individuals whose personal information is compromised.


• Notification must occur by written means (electronic or by mail) without unreasonable delay.


• Companies must implement notification procedures and review and update if necessary on an annual basis.


• “Companies” include all entities and individuals conducting interstate transactions that request or store personal information.


• Personal information includes the first and last name of an individual with one or more of the following: date of birth, social security number, account number and driver’s license number.


• Notification should be required without regard to whether there is the possibility for harm.


• Following notification to individuals of the breach, companies must take reasonable steps to change the personal information to prevent unauthorized use of it.


• Private right of action and civil penalties for failure to comply.


• No preemption of more stringent/protective state laws.

What would you add? Delete? Share your thoughts by commenting below. Your comments and suggestions will be compiled and published as a new draft of a proposed federal law in an upcoming issue of CSO magazine. Don’t hold back.