The latest bill to address the problem of data breaches is just one of an increasingly long line of proposed federal breach notice regulations with little to no chance of becoming law this year.
The Data Security and Breach Notification Act of 2012 was introduced last month by Sen. Patrick Toomey, a Pennsylvania Republican. It’s the eighth one of its kind to be introduced in Congress.
But with the upcoming election and a partisan fervor that unbelievably has trickled down into data security legislation, it’s unlikely to get voted on this year.
One of the issues I have with the bill is that it misses the entire impetus, origin and reason for data breach notification regulations to begin with: consumer protection.
When comparing the bill to existing state laws on the subject, the lack of focus on consumer protection and an emphasis on making it business-friendly become evident.
It becomes evident not by looking at what the bill contains, but by looking at what is purposely missing:
• There is no credit bureau notice requirement.
• There is a lack of a law enforcement notice requirement unless the breach involves 10,000 or more individuals, in which case federal agencies like the FBI and Secret Service must be notified.
• It lacks any real data protection requirements for businesses. The bill’s language vaguely calls for “reasonable measures to protect data.”
• There is no real threshold number for alternate/non-hardcopy letter notices, which means how businesses alert affected parties is up for interpretation.
• No enforcement is allowed by anyone other than the Federal Trade Commission. (No enforcement by state attorneys general nor actual consumers.) It would simply make the FTC the police since they would have no rule-making authority under the bill.
• There is no statutory value of “data,” nor any private right of action. Penalties would be capped at $500,000 per breach.
To be clear, this proposed regulation would also preempt all state breach notification laws currently on the books. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have laws that require businesses to notify customers if a data breach involves their personal information.
This preemption and lack of state attorneys general enforcement may be the most troubling portion of the bill since states have been at the vanguard of this issue from both the perspective of passing meaningful regulations in the area and from the perspective of dealing with the small and midsize businesses that suffer breaches.
The only current federal data breach requirement (under HIPAA, which is applicable only to those in the medical industry) takes a better approach by allowing multiple levels of enforcement that include Health and Human Services, the Federal Trade Commission, and state attorneys general.
It is the only way consumers can make sure their information is protected and that they’ll receive notice when it has been exposed. How important is it as a consumer to have the state AGs involved? Well it’s worth noting that this year the National Association of Attorneys General (NAAG) selected its organizational initiative as “Privacy in the Digital Age.”
In my opinion, any suggestion limiting the state AG’s abilities to enforce data breach regulations sounds a lot like the wolves trying to make the case to the shepherd that sheep dogs are unnecessary because a shoddy 3-foot-high fence is enough protection.
Eduard Goodman, Chief Privacy Officer, Identity Theft 911
An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.