September 2, 2010 - It is called the Data Breach and Security Notification Breach Act of 2010 and it is being sponsored by Senators Mark Pryor (D-AR) and Jay Rockefeller (D-WV). At first glance, the bill does appear to be consumer friendly and have some compelling provisions. But a closer read of the legislation reveals some significant problems. At best, it's another example of career politicians believing that "Washington knows best." At worst, it's another example of the corruptive influence of lobbying.

The bill would put in place nationwide data breach notification rules. These rules would require any company that experiences a data breach to notify those whose data was exposed that they may be at risk for identity theft. These notifications would have to be made within 60 days of any breach, with certain limited exceptions for law enforcement purposes.

Unfortunately, that's about the extent of the good news associated with the proposed legislation. There are however a variety of bad features associated with the bill.

The new law would preempt all state data breach notification laws. Many of the state laws are much stronger and require more timely consumer notifications. It should be noted that as of this writing, 46 states, the District of Columbia, Puerto Rico and the US Virgin Islands already have data breach notification laws. All of these laws would be tossed out if this bill passes.

The law would also require offending companies to provide two years of credit monitoring services to data breach victims. ACCESS considers credit monitoring to be a colossal waste of time and money because it can only notify you after your identity has been stolen and does nothing to help you restore your credit. This clause alone means that the bill will provide windfall profits to the credit reporting agencies that offer such services. This may not be surprising though when you consider that both of the senators sponsoring the bill count a variety of companies within the financial services industry as some of their largest donors.

Perhaps most importantly, the bill actually provides a hollow shell for the creation of a government bureaucracy that would determine the rules for notifications, what actually constitutes a data breach and what procedures companies have to put in place to make notifications. It is quite troubling that these issues are left up to the determination of a separate commission. This will likely result in a wide variety of costly regulations being levied on companies and individuals with no assurance that they will be effective.

Given the fact that there are now only four US states that don't have data breach notification laws, this bill would appear to be either a "solution in search of a problem" or, in my opinion, a payoff to certain special interests. ACCESS agrees that it would be a good idea to have a minimum national standard to deal with issues created by data breaches; allowing the states to set more stringent rules within their borders. This poorly written, ill conceived bill does not accomplish anything close to that. It is nothing more than another Washington power grab that is likely to leave consumers dangling in the wind.