The latest bill to address the problem of data breaches is just one of an increasingly long line of proposed federal breach notice regulations with little to no chance of becoming law this year.
The was introduced last month by Sen. Patrick Toomey, a Pennsylvania Republican. It’s the eighth one of its kind to be introduced in Congress.
But with the upcoming election and a partisan fervor that unbelievably has trickled down into data security legislation, it’s unlikely to get voted on this year.
One of the issues I have with the bill is that it misses the entire impetus, origin and reason for data breach notification regulations to begin with: consumer protection. When comparing the bill to existing state laws on the subject, the lack of focus on consumer protection and an emphasis on making it business-friendly become evident. It becomes evident not by looking at what the bill contains, but by looking at what is purposely missing:
To be clear, this proposed regulation would also preempt all state breach notification laws currently on the books. Currently have laws that require businesses to notify customers if a data breach involves their personal information.
This preemption and lack of state attorneys general enforcement may be the most troubling portion of the bill since states have been at the vanguard of this issue from both the perspective of passing meaningful regulations in the area and from the perspective of dealing with the small and midsize businesses that suffer breaches.
The only current federal data breach requirement (under HIPAA, which is applicable only to those in the medical industry) takes a better approach by allowing multiple levels of enforcement that include Health and Human Services, the Federal Trade Commission, and state attorneys general. It is the only way consumers can make sure their information is protected and that they’ll receive notice when it has been exposed. How important is it as a consumer to have the state AGs involved? Well it’s worth noting that this year the National Association of Attorneys General (NAAG) selected its organizational initiative as “Privacy in the Digital Age.”
In my opinion, any suggestion limiting the state AG’s abilities to enforce data breach regulations sounds a lot like the wolves trying to make the case to the shepherd that sheep dogs are unnecessary because a shoddy 3-foot-high fence is enough protection.
Eduard Goodman, Chief Privacy Officer, Identity Theft 911
An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.