Home » Data Protection » PCI and Compliance

CSO Disclosure Series | What's Next with Disclosure Legislation?

An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn’t have a federal breach notification law. Part of an in-depth series about disclosing breaches

The landscape continues to change on a regular basis. It’s in everyone’s interest to watch what’s happening. Data breach notification is changing at the state and federal level. States continue to consider amendments.

CSO: Examples?

Forsheit: California recently added medical information to its list of data that requires notification in the wake of a breach. Others have amended their laws to apply to paper-based data lost. The most significant change being considered is severely restricting the use and storage of credit card data after transactions are cleared. But Governor Schwarzenegger vetoed the California proposal for that. There is such a law in Minnesota (see Proskauer Rose blog); it’s the only one. Other states have considered it and decided not to take action, but it’s a big potential shift. With Minnesota’s restrictions on storing credit card data out there, if you do business in Minnesota, you have to comply. It’s not insignificant that Minnesota has done that.

CSO: What about the 11 states that don’t yet have laws? Are they waiting for a federal bill?

Forsheit: In some of those states, there have been proposals that just haven’t made their way through. If we don’t see federal legislation soon, those remaining states will likely enact some law.

CSO: Is it fair to say it’s baffling that something hasn’t passed?

Forsheit: I wouldn’t call it baffling, but it is interesting that we haven’t seen a federal bill passed.