A Data Breach Disclosure Proposal

Two attorneys lead an online debate on how a federal breach disclosure law ought to look

September 07, 2007 — CSO — Ever since California passed its groundbreaking data breach disclosure law (the famous California SB 1386) back in 2003, legislators across the country have been working on similar laws that would require companies to notify customers whose personal information has been compromised. Lawmakers in at least 37 other states have succeeded in passing similar legislation, creating what many businesses complain is a unruly patchwork of laws. Meanwhile, the U.S. Senate and House of Representatives are still trying to hammer out a federal version that everyone can agree on. Or at least live with.

Never ones to shirk a challenge, we at CSO wondered if our own readers couldnâ¬"t come up with a more perfect disclosure law than any of those proposals that are meandering through committees on Capitol Hill. Two attorneys from the law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, which represents corporate clients in a range of industries, agreed to start the discussion at their itinerant blog on CSOonline.com, Security Legislation Sound Off. There, Cynthia Larose and Stefani Watterson, both of whom are certified information privacy professionals, got the debate rolling with a couple lists of what the legislation might contain and asked readers to weigh in on how to craft the act.

From the perspective of businesses, Larose and Watterson suggested that the law might include:

Clear definitions of what is and what is not a â¬Sbreach.â¬

Clear standards for how and when notification is to be provided.

Clear standards regarding who must provide notificationâ¬data owners or the party responsible for the breach.

A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.

â¬SSafe harborâ¬ or exclusion if encrypted data is compromised.

No private right of action. Enforcement by the Federal Trade Commission under FTC-promulgated rules (like Gramm-Leach-Bliley and Can-Spam).

Clear federal preemption of all similar state laws.

From the perspective of consumers, Larose and Watterson suggested some requirements and definitions:

Companies must notify all individuals whose personal information is compromised.

Notification must occur by written means (electronic or by mail) without unreasonable delay. Companies must implement notification procedures and review and update those procedures if necessary on an annual basis.

â¬SCompaniesâ¬ includes all entities and individuals conducting interstate transactions that request or store Âpersonal information.

â¬SPersonal informationâ¬ includes the first and last name of an individual, with one or more of the following: date of birth, Social Security number, account number and driverâ¬"s license number.

Following notification to individuals of the breach, companies must take Âreasonable steps to change the Âpersonal information to prevent unauthorized use of it.