The proposed federal data breach notification law defines how organizations should notify customers in case of a breach. But critics can't agree on whether the bill goes far enough.
proposed federal data breach notification law will simultaneously simplify and
complicate things for organizations in the wake of a security breach, experts
House outlined the data
breach notification law
within the broad
that was sent to Congress May 12. If passed as is,
the law would trump existing state notification laws currently in place in 46
states, the District of Columbia, Puerto Rico and the Virgin Islands. The
Federal Trade Commission would be responsible for enforcing the law along with
state attorneys general. Civil penalties for violations could total $1 million.
there are good and bad things about the proposed bill, there is a "net good"
because it means there is only one law to follow in case of a data breach, said
David McIntosh, a partner in the intellectual property group and corporate
department at the law firm of Ropes & Gray. One of the difficulties
organizations face after having data exposed or stolen has always been figuring
out an appropriate response that complies with various state notification laws.
the joys of the federal bill is standardization. One of the sorrows is that
it's not complete standardization," McIntosh said.
will no longer have to negotiate "a patchwork of 47 state laws" after a data
breach, the Obama administration said in its proposal. However, the bill did
make allowances for states to define additional actions on top of the federal
requirements the organization would have to follow.
state decides it wants organizations to include information about credit
freezes or some local service to be included in the notice that is sent to the
affected victims, it can enact such a provision, according to McIntosh. The
organization is back to having to come up with a different version of the
notification to meet that particular state's requirements, McIntosh said. But it
will still be an improvement over the current system, McIntosh said.
the bill changes the rules a little bit and not necessarily in a positive way.
The proposed federal law defines personal identifying information much broader
than how state laws have traditionally defined them and makes it "more
complicated," according to McIntosh. Most state notification laws are
"triggered" when the data breach includes "name and a number," or the stolen
data includes the person's first name, last name and some kind of a
government-issued identification number, such as a Social Security number or a
driver's license number, McIntosh said.
bill has broadened the scope of "sensitive personally identifiable information"
significantly, McIntosh said. The proposed bill includes not only "unique
biometric data" such as a fingerprint, voice print, or a retina or iris image
in its definition of PII (personally identifiable information), but it also
includes "any other unique physical representation."
does that mean? Is that a photo?" McIntosh asked. He said it isn't clear from
the language whether the bill would include photographs of people as part of