News
CSO Disclosure Series | What's Next with Disclosure Legislation?
An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn’t have a federal breach notification law. Part of an in-depth series about disclosing breaches
By Scott Berinato
February 11, 2008
—
CSO
—
CSOonline.com has published an interactive map highlighting the 37 states that have followed California’s suit and passed laws requiring organizations to notify consumers whose personal information has been compromised. (To view the map, see "Data Breach Notification Laws, State by State.") But one site on the map is still muddied: Washington, D.C., where our nation’s leaders are still wrangling over how a federal disclosure law might look.
On the map, we’ve listed four of the proposed laws that seem to have had the most traction and broadest applicability. Many more than four laws have been proposed; some of those have been wrapped into these bills. Others address only specific aspects of breach disclosure, such as for federal agencies, says Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law. We caught up with Forsheit to learn more about what the hold-up is and how a federal law is likely to shape up.
CSO: In addition to the laws we’ve listed on our map, is there other pending federal legislation?
Forsheit: There are quite a few out there. In addition to those four, you’ve got S. 1178, the Identity Theft Prevention Act; also, S.1202, and two laws meant to deal with federal agency breach notification, H.R. 2124 and S. 1558. All of them cover similar ground. They all trump the state laws, and none allow a private cause of action. Most are meant to copy what the states have done and also delegate some enforcement authority to the Federal Trade Commission or Secret Service. The important point is none has made its way through yet.
CSO: Some of these bills have been in process for more than one session of Congress. So what’s taking so long?
Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out. (For more information about how CSOonline.com readers think a federal law should look, see “A Disclosure Proposal.”)
CSO: What’s changing about data breach notification?
Forsheit:
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Discover whether hosting is your smartest choice for enterprise messaging.
To host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.
- Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
- Stop mobility from jeopardizing PCI compliance with these best practices.
- 5 Strategies for Reducing the High Cost of Online Consumer Authentication
- Enterprise Management Associates: Taking the Botnet Threat Seriously
- Understanding Data Location is Imperative for Data Loss Prevention
- Guide: 5 Steps to Secure Outsourced Application Development
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
