Federal Data Breach Notification Proposal Fails to Satisfy All Interests

The proposed federal data breach notification law defines how organizations should notify customers in case of a breach. But critics can't agree on whether the bill goes far enough.

The proposed federal data breach notification law will simultaneously simplify and complicate things for organizations in the wake of a security breach, experts said.

The White House outlined the data breach notification law within the broad cyber-security proposal that was sent to Congress May 12. If passed as is, the law would trump existing state notification laws currently in place in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands. The Federal Trade Commission would be responsible for enforcing the law along with state attorneys general. Civil penalties for violations could total $1 million.

While there are good and bad things about the proposed bill, there is a "net good" because it means there is only one law to follow in case of a data breach, said David McIntosh, a partner in the intellectual property group and corporate department at the law firm of Ropes & Gray. One of the difficulties organizations face after having data exposed or stolen has always been figuring out an appropriate response that complies with various state notification laws.

"One of the joys of the federal bill is standardization. One of the sorrows is that it's not complete standardization," McIntosh said.

Organizations will no longer have to negotiate "a patchwork of 47 state laws" after a data breach, the Obama administration said in its proposal. However, the bill did make allowances for states to define additional actions on top of the federal requirements the organization would have to follow.

If a state decides it wants organizations to include information about credit freezes or some local service to be included in the notice that is sent to the affected victims, it can enact such a provision, according to McIntosh. The organization is back to having to come up with a different version of the notification to meet that particular state's requirements, McIntosh said. But it will still be an improvement over the current system, McIntosh said.

However, the bill changes the rules a little bit and not necessarily in a positive way. The proposed federal law defines personal identifying information much broader than how state laws have traditionally defined them and makes it "more complicated," according to McIntosh. Most state notification laws are "triggered" when the data breach includes "name and a number," or the stolen data includes the person's first name, last name and some kind of a government-issued identification number, such as a Social Security number or a driver's license number, McIntosh said.

The proposed bill has broadened the scope of "sensitive personally identifiable information" significantly, McIntosh said. The proposed bill includes not only "unique biometric data" such as a fingerprint, voice print, or a retina or iris image in its definition of PII (personally identifiable information), but it also includes "any other unique physical representation."

"What does that mean? Is that a photo?" McIntosh asked. He said it isn't clear from the language whether the bill would include photographs of people as part of PII.