Federal Data Breach Proposal gets Mixed Reactions

by Kristyan Mjolsnes
May 23, 2011 10:19AM

As we are in the midst of some of biggest data breaches, from companies such as Sony and Epsilon, the Obama administration has proposed a new data breach notification lawFTC LogoThe proposed law, which would override 47 existing state statutes into a single federal law, requires that breached companies have 60 days to notify both affected individuals and the Federal Trade Commission ofthe incident. 

However, there are a few exceptions to the bill. For example, if there was no supposed risk or harm to the exposed parties, the business would not be required to report the breach. Also,a breach doesn’t have to be reported, if the stolen data is encrypted or unusable through approved IT measures.

After reviewing the government’s recommendations for “improving security for citizens, the nation’s infrastructure and the federal government’s own networks and computers”, the proposed bill has been met with mixed reactions among security and IT experts. Here are some of their major complaints:

1. Definitions aren’t modernized: The bill defines personal identifiable information (PII) as names, Social Security and account numbers. Some critics believethat PII should encompass identifying information such as usernames, email addresses, geo-location data and even religious affiliations.

2. Smaller organizations aren’t included: The bill only applies to companies that interact with at least 10,000 or more customers a year. So, smaller businesses would not be required to notify anyone in the event of a data breach, no matter how damaging it is.

3. Stronger state laws would be pushed aside: Because this federal law would trump states, the stronger state laws that are currently in place, would be weakened. Plus, it will now be the federal government’s responsibility to press charges against the breached companies. Many experts fear that once budget cuts are passed and resources are tight, data privacy and breach issues will be a low priority.

4. No privacy laws: Most state data breach laws include a private right of action clause which allows exposed consumers the ability to sue the company for damages. However, under Obama’s proposed law, there is no private right of action clause, so citizens are left with no way to defend and protect themselves after a company is negligent. 

5. Doesn’t protect against physical theft: Physical data theft is increasing among businesses and leading to more and more data breaches. This bill proposal doesn’t cover hard copy or physical data breaches, unlike some of the previous state laws.

As our legislation moves closer to approving a single data breach law to unify the country, these weaknesses need to be addressed. We owe it to the consumers to give them better protection and defense against hackers, instead of giving breached companies loopholes.

Learn More
Case Studies
PCI Compliance
PCI Questions
SecureConnect Blog
Why SecureConnect
SecureConnect Scoop
About Us
Approved Scanning Vendor
Press Releases
Privacy Policy
Site Map
Terms of Use
Next Steps
Call Direct: 888.949.7328
Email Us
mySecureConnect Login
Receive Communications from us
Request a Free PCI Consultation
Send Informational Packet
Sign Up
Follow SecureConnect
Follow us with RSS feed RSS feed
Follow us on Twitter Follow Us
Follow us on Facebook Like us
Follow us on Facebook Company Photos
Visit our profile on Linkedin Follow us on LinkedIn