News
CSO Disclosure Series | What's Next with Disclosure Legislation?
An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn’t have a federal breach notification law. Part of an in-depth series about disclosing breaches
By Scott Berinato
February 11, 2008
—
CSO
—
CSOonline.com has published an interactive map highlighting the 37 states that have followed California’s suit and passed laws requiring organizations to notify consumers whose personal information has been compromised. (To view the map, see "Data Breach Notification Laws, State by State.") But one site on the map is still muddied: Washington, D.C., where our nation’s leaders are still wrangling over how a federal disclosure law might look.
On the map, we’ve listed four of the proposed laws that seem to have had the most traction and broadest applicability. Many more than four laws have been proposed; some of those have been wrapped into these bills. Others address only specific aspects of breach disclosure, such as for federal agencies, says Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law. We caught up with Forsheit to learn more about what the hold-up is and how a federal law is likely to shape up.
CSO: In addition to the laws we’ve listed on our map, is there other pending federal legislation?
Forsheit: There are quite a few out there. In addition to those four, you’ve got S. 1178, the Identity Theft Prevention Act; also, S.1202, and two laws meant to deal with federal agency breach notification, H.R. 2124 and S. 1558. All of them cover similar ground. They all trump the state laws, and none allow a private cause of action. Most are meant to copy what the states have done and also delegate some enforcement authority to the Federal Trade Commission or Secret Service. The important point is none has made its way through yet.
CSO: Some of these bills have been in process for more than one session of Congress. So what’s taking so long?
Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out. (For more information about how CSOonline.com readers think a federal law should look, see “A Disclosure Proposal.”)
CSO: What’s changing about data breach notification?
Forsheit:
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
