Could We Finally Be Getting The National Data Breach Law We Need?

Anthony Di Bello Readers of this blog know that I’m a proponent of a federal data breach disclosure law. And that a national data breach notification law - or possibly an international agreement - that streamlines breach disclosure mandates is long past due. As we wrote earlier this year, people do need to know that certain records have been compromised. But asking companies to have to contend with a different data breach notification laws wherever they sell their goods or services is creating too much confusion.

Fortunately, we may finally be getting a federal breach disclosure with the Data Security and breach Notification Act of 2012. According to the draft bill, the act would require organizations to take “reasonable measures” to protect personally identifiable information. For the purpose of breach notification that would include Social Security numbers, driver’s license numbers, as well as financial and credit or debt card numbers and associated security codes. Fines for non-compliance could be as high as $500,000. The Federal Trade Commission would see to enforcement of the law.

Assuming this bill isn't weakened too much as it moves through Congress, I’d be happy to see it become law. Eventually, an international breach disclosure standard would be ideal. Currently, there are too many laws that organizations have to contend. There are more than 40 state data breach disclosure laws in the U.S. And in the European Union, this year, they've discussed a data breach notification being required within 24 hours of knowledge of a breach.

Supporters of this bill argue, rightly so, that the mess of several dozen state laws creates too much complexity, and that this law - because it would simplify disclosure and some aspects of incident response planning for businesses that have customers in multiple states. And, let’s face it, that is just about everyone. And, because this bill, as it’s currently written, calls for risk-based decisions, organizations will be able to take reasonable steps to identify the nature of a breach before they disclose. That will lesson confusion of breach disclosures for consumers, partners, and law enforcement.

There’s no way to tell yet the chances this bill has of making it into law, but whether or not this bill moves forward, there will be a national data breach law - and a good one can’t come soon enough.

Here are a handful of additional interesting news stories and blogs on the Data Security and Breach Notification Act of 2012:

• Tracking the bill in GovTrack, S. 3333: Data Security and Breach Notification Act of 2012
• The Hill blog: Senators introduce guidelines bill for data security breaches
• CSOonline: Data breach bill leaves lots of wiggle room
• InformationWeek: Senators Float National Data Breach Law, Take Four
• SC Magazine: Four Senators Hope Time Is Right For Federal Data Breach Bill