A committee recently met in Washington, D.C., to further discuss President Obama’s proposed data breach notification legislation. Although a single, national standard for governing data security is desperately needed, the practicalities of getting it right are a key concern for lawmakers across the country.
Covered entities and sectors
- How broadly should a federal data security law reach, and what entities and sectors should be covered?
- Should sector-specific data breach notification laws, such as those applying to financial and health information, be handled separately under specific regulations?
- Should a federal data breach rule override state breach notification laws?
- Should a federal law weaken the enforcement authority of state attorneys general, or can federal and state enforcement authorities have parallel jurisdiction?
- Which types of breaches should prompt notification?
- Would a notification obligation based on consumer harm be problematic given the difficulty of proving actual harm?
- How many days should companies be allowed to investigate a breach before notifying consumers?
- How can the regulatory approach guard against over-notification?
While we’re waiting for lawmakers to answer these questions, the proposed bill as it stands has been received positively. A recent ISACA report into the state of cyber security found that 70% of US members either agree or strongly agree with the proposal, but their main concern will be their corporate reputation (40%) if they need to notify consumers within 30 days of a data breach discovery.
“If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
President Obama’s State of the Union Address, January 2015
As Congress discusses the bill, states continue to enact and strengthen their own data breach bills. California has recently made three notable changes to its bill and New York Attorney General Eric Schneiderman announced this month that he will propose legislation to toughen New York’s data breach notification law.