CSO Disclosure Series | What's Next with Disclosure Legislation?

An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn’t have a federal breach notification law. Part of an in-depth series about disclosing breaches

CSOonline.com has published an interactive map highlighting the 37 states that have followed California’s suit and passed laws requiring organizations to notify consumers whose personal information has been compromised. (To view the map, see "Data Breach Notification Laws, State by State.") But one site on the map is still muddied: Washington, D.C., where our nation’s leaders are still wrangling over how a federal disclosure law might look.

On the map, we’ve listed four of the proposed laws that seem to have had the most traction and broadest applicability. Many more than four laws have been proposed; some of those have been wrapped into these bills. Others address only specific aspects of breach disclosure, such as for federal agencies, says Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law. We caught up with Forsheit to learn more about what the hold-up is and how a federal law is likely to shape up.

CSO: In addition to the laws we’ve listed on our map, is there other pending federal legislation?

Tanya Forsheit
Forsheit: There are quite a few out there. In addition to those four, you’ve got S. 1178, the Identity Theft Prevention Act; also, S.1202, and two laws meant to deal with federal agency breach notification, H.R. 2124 and S. 1558. All of them cover similar ground. They all trump the state laws, and none allow a private cause of action. Most are meant to copy what the states have done and also delegate some enforcement authority to the Federal Trade Commission or Secret Service. The important point is none has made its way through yet.

CSO: Some of these bills have been in process for more than one session of Congress. So what’s taking so long?

Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out. (For more information about how CSOonline.com readers think a federal law should look, see “A Disclosure Proposal.”)

CSO: What’s changing about data breach notification?

Forsheit: The landscape continues to change on a regular basis. It’s in everyone’s interest to watch what’s happening. Data breach notification is changing at the state and federal level. States continue to consider amendments.

CSO: Examples?

Forsheit: California recently added medical information to its list of data that requires notification in the wake of a breach. Others have amended their laws to apply to paper-based data lost. The most significant change being considered is severely restricting the use and storage of credit card data after transactions are cleared. But Governor Schwarzenegger vetoed the California proposal for that. There is such a law in Minnesota (see Proskauer Rose blog); it’s the only one. Other states have considered it and decided not to take action, but it’s a big potential shift. With Minnesota’s restrictions on storing credit card data out there, if you do business in Minnesota, you have to comply. It’s not insignificant that Minnesota has done that.

CSO: What about the 11 states that don’t yet have laws? Are they waiting for a federal bill?

Forsheit: In some of those states, there have been proposals that just haven’t made their way through. If we don’t see federal legislation soon, those remaining states will likely enact some law.

CSO: Is it fair to say it’s baffling that something hasn’t passed?

Forsheit: I wouldn’t call it baffling, but it is interesting that we haven’t seen a federal bill passed.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies