Definition Is So Retro
On the other hand, at least one critic thought the definition wasn't broad enough. "The definition of personal information is so retro," Eduard Goodman, the chief privacy officer of Identity Theft 911, wrote on the consumer rights group's 911 blog. He believes email addresses, geo-location data, geo-tagged metadata in images and religious affiliation should be included as sensitive data. The bill also doesn't include anything about lost or stolen paper records, Goodman said. Under the proposed bill's definition, the data breach at email marketing company Epsilon, in which an estimated 60 million email addresses and some names were stolen, would not be considered a data breach that would require the company to notify customers.Businesses limited to only one state could argue they are not "engaged in or affecting interstate commerce," Goodman said. A company claiming to deal with 8,000 people a year could also claim to be exempt, even if the data breach affected a decade's worth of past and current customers in excess of 80,000 people, according to Goodman. The bill also focuses on the private sector. There is nothing about how the law would apply to state agencies, such as the accidental data exposure in Texas and the recent malware infection in Massachusetts. The proposals don't consider smartphones, social networking sites, cloud computing and geo-location technologies, according to Goodman. "We can do better than this," he said. The good thing is that the FTC would have to come out with a lot of rules to clarify the law, and some of the provisions of the bill would likely be changed and modified before it becomes law, according to Goodman and McIntosh. Congress has been trying to pass a national data breach notification law for a long time, so there's a lot of interests waiting to weigh in, McIntosh said.
Goodman also said the bill "overprotects" small businesses by limiting who has to notify their customers of the breach. Businesses "engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period" are required to notify customers whose sensitive information may have been compromised, according to the proposed bill.