• United States



Personal data exposed! How can we fix this mess?

Apr 19, 20073 mins
Business ContinuityData and Information SecurityIT Leadership

Part of the reason that business is interested in the implementation of a federal consumer data breach notification law is that there is currently a crazy quilt of state legislation — 38 states and counting — and compliance is difficult. Here are two perspectives on what “should” be included in a federal data breach notification law. What is your perspective? How would you define these elements at a federal level? Should a federal law be overly inclusive? Should encryption be a “safe harbor”?

From the perspective of businesses, a federal consumer data breach notification law should contain:

  • Clear definitions of what is and what is not a “breach”
  • Clear standards for providing notification, how that notification is to be provided
  • When must notification be provided, e.g., how long after the breach is discovered
  • Who must provide notification, the owners of the data or the party responsible for the breach.
  • A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.
  • Clear Federal preemption of all similar state laws
  • Enforcement by the Federal Trade Commission under rules promulgated by the FTC (like Gramm-Leach-Bliley and CAN-SPAM)
  • No private right of action
  • “Safe harbor” for encrypted data

Consumer and privacy advocates are opposed to federal legislation if, in their view, it weakens existing state protections. From their view, a federal consumer data breach notification law should contain these measures.

  • Companies must notify individuals whose personal information is compromised.
  • Notification must occur by written means (electronic or by mail) without unreasonable delay.
  • Companies must implement notification procedures and review and update if necessary on an annual basis.
  • “Companies” include all entities and individuals conducting interstate transactions that request or store personal information.
  • Personal information includes the first and last name of an individual with one or more of the following: date of birth, social security number, account number and driver’s license number.
  • Notification should be required without regard to whether there is the possibility for harm.
  • Following notification to individuals of the breach, companies must take reasonable steps to change the personal information to prevent unauthorized use of it.
  • Private right of action and civil penalties for failure to comply.
  • No preemption of more stringent/protective state laws.

What would you add? Delete? Share your thoughts by commenting below. Your comments and suggestions will be compiled and published as a new draft of a proposed federal law in an upcoming issue of CSO magazine. Don’t hold back.

Cynthia Larose , CIPP, is a member in the Boston office of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC. Cynthia practices in the Business and Finance Section representing companies in information, communications and technology, including e-commerce and other electronic transactions. Her work with technology and technology companies includes licensing, strategic alliances and financings, complex outsourcing transactions, international transactions and privacy counseling. Stefani Watterson , CIPP, is an associate in the Washington office of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC., practicing in the Communications Section.