When a business loses personal data -- whether it's through a stolen laptop or a network security breach -- there are some state laws that require the company to notify people who could be affected by the disclosure.
Right now Congress is considering bills for a federal consumer data breach notification law. But what should that law include? What should companies do? Who should be held responsible?
Later this week, we will post a draft that suggests what such a law should look like. We encourage you to add your comments and suggestions to the proposal. We will compile your suggestions and then publish a new draft of a proposed federal law in an upcoming issue of CSO magazine.
A couple of points, as a consumer:
I should not have to agree to my personal information being shared in order to get a reduced price or obtain additional features for something I am already paying for.
I need to be compensated, if due to a data breach, I become a victim of identity theft or fraud.
Companies should not be using SSN as a serial number. SSN should only be used to run credit checks and/or for employment!
If I am no longer a customer to a company that has my information, then my records should be deleted/removed. Do not allow companies retain data after they legally need to... say for warrantee information.