Part of the reason that business is interested in the implementation of a federal consumer data breach notification law is that there is currently a crazy quilt of state legislation — 38 states and counting — and compliance is difficult. Here are two perspectives on what “should” be included in a federal data breach notification law. What is your perspective? How would you define these elements at a federal level? Should a federal law be overly inclusive? Should encryption be a “safe harbor”?From the perspective of businesses, a federal consumer data breach notification law should contain: Clear definitions of what is and what is not a “breach” Clear standards for providing notification, how that notification is to be provided When must notification be provided, e.g., how long after the breach is discovered Who must provide notification, the owners of the data or the party responsible for the breach. A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required. Clear Federal preemption of all similar state laws Enforcement by the Federal Trade Commission under rules promulgated by the FTC (like Gramm-Leach-Bliley and CAN-SPAM) No private right of action “Safe harbor” for encrypted dataConsumer and privacy advocates are opposed to federal legislation if, in their view, it weakens existing state protections. From their view, a federal consumer data breach notification law should contain these measures. Companies must notify individuals whose personal information is compromised. Notification must occur by written means (electronic or by mail) without unreasonable delay. Companies must implement notification procedures and review and update if necessary on an annual basis. “Companies” include all entities and individuals conducting interstate transactions that request or store personal information. Personal information includes the first and last name of an individual with one or more of the following: date of birth, social security number, account number and driver’s license number. Notification should be required without regard to whether there is the possibility for harm. Following notification to individuals of the breach, companies must take reasonable steps to change the personal information to prevent unauthorized use of it. Private right of action and civil penalties for failure to comply. No preemption of more stringent/protective state laws.What would you add? Delete? Share your thoughts by commenting below. Your comments and suggestions will be compiled and published as a new draft of a proposed federal law in an upcoming issue of CSO magazine. Don’t hold back. Related content opinion Privacy breach legislation: Speak up and be heard By Mintz Levin Apr 18, 2007 1 min Data and Information Security Physical Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe