However, there are a few exceptions to the bill. For example, if there was no supposed risk or harm to the exposed parties, the business would not be required to report the breach. Also,a breach doesn’t have to be reported, if the stolen data is encrypted or unusable through approved IT measures.
1. Definitions aren’t modernized: The bill defines personal identifiable information (PII) as names, Social Security and account numbers. Some critics believethat PII should encompass identifying information such as usernames, email addresses, geo-location data and even religious affiliations.
2. Smaller organizations aren’t included: The bill only applies to companies that interact with at least 10,000 or more customers a year. So, smaller businesses would not be required to notify anyone in the event of a data breach, no matter how damaging it is.
3. Stronger state laws would be pushed aside: Because this federal law would trump states, the stronger state laws that are currently in place, would be weakened. Plus, it will now be the federal government’s responsibility to press charges against the breached companies. Many experts fear that once budget cuts are passed and resources are tight, data privacy and breach issues will be a low priority.
4. No privacy laws: Most state data breach laws include a private right of action clause which allows exposed consumers the ability to sue the company for damages. However, under Obama’s proposed law, there is no private right of action clause, so citizens are left with no way to defend and protect themselves after a company is negligent.
5. Doesn’t protect against physical theft: Physical data theft is increasing among businesses and leading to more and more data breaches. This bill proposal doesn’t cover hard copy or physical data breaches, unlike some of the previous state laws.
As our legislation moves closer to approving a single data breach law to unify the country, these weaknesses need to be addressed. We owe it to the consumers to give them better protection and defense against hackers, instead of giving breached companies loopholes.