Home arrow Politics & Politicians arrow Federal Issues arrow White House and Congress Pushing for National Data Breach Notification Law
User Login





Lost Password?
No account yet? Register
Guard My Credit Menu
Home
- - - THE ISSUES - - -
Videos
Fraud and Scams
Credit Issues
Identity Theft
Privacy Issues
Our Children
Politics & Politicians
- - ACTION CENTER - -
Guard My Credit Links
Helpful Pamphlets
- - - - - - - - - - - - - - -
About ACCESS
Contact Us
About Our Site
Join the Fight
ACCESS is a non-profit, tax exempt consumer advocacy group.

Donations are tax deductable.

Guard My Credit Hits
11453981 Visitors
White House and Congress Pushing for National Data Breach Notification Law PDF Print E-mail

February 12, 2015 – For several years now, various special interests and politicians have been pushing the concept of a national data breach notification standard. On its face, the idea sounds great. But with a closer look at these proposals, it doesn’t take long to figure out that these proposals would significantly reduce the consumer protections that are already in place in many states. The latest proposals coming out of Washington, DC are no exception.

Image

Data breach notification laws started in California and quickly swept across the nation. Today, there are only three states which don’t have a data breach law on the books; Alabama, New Mexico and South Dakota. These three states account for less than 3% of the US population according to the latest census numbers.

Every proposed national data breach law that we are aware of has two things in common. First, all of them would make it illegal for the states to enforce their own data breach laws. Second, all of them are weaker than California’s law; still considered to be the gold standard among such laws.

Congress has already started hearings on President Obama’s latest proposal for a national data breach standard. And they are already getting pushback from retailers about a proposed requirement that victims be notified of a data breach within 30 days of discovery. Instead, it has been suggested that companies involved in a breach be given a period of time to conduct a risk assessment and, only after that assessment is completed, the 30 day clock for notification should begin. That suggestion is more than a little problematic.

It could take companies months to complete such an assessment. That means that it would be months before any consumer notifications take place. And in that time, consumers could easily fall victim to fraud and identity theft. Had a law like this been in place when the Target data breach took place there is almost no doubt that more consumers would have been victimized.

The “risk assessment” proposal is also troubling in that it almost certainly means the proposed law would allow companies to make their own determination about whether or not it is likely that breached data will be used to commit fraud. If the determination is made that the risk is low, the company would likely face no notification requirement at all. NOTE: The reason we suspect this will be a part of the proposal is that it has been proposed before at a national level. And 18 of the current state notification laws on the books include this loophole.

Another issue with the President’s proposal is that its definition of a data breach doesn’t cover medical records. That is simply poor planning. Medical records have become significantly more valuable to hackers than credit card and financial data. In fact, medical records can fetch prices that are 40 or 50 times higher on the black market than simple financial records.

Again, the California law comes into play. California’s data breach law includes medical records. The proposed federal law, in its current form, would make it illegal for California to require companies to make a data breach notification when medical records are breached.

Unfortunately, the push is on for what could become a weak national law dealing with data breaches. According to an article in the Credit Union Times, a representative from the National Retail Associatio, had the Gaul to tell congress that “companies would improve their data security if Congress required them to meet uniform notification standards in the event of a data breach.”

The article quotes him as saying “’Congress needs to provide incentives for companies to increase their security and nothing motivates like sunlight, requiring that every company have the same public notice obligations will provide this needed light.’”

In our opinion, they appear to be telling congress that unless a national law is passed, they aren’t going to make a sincere effort to protect consumer data. Of course if a weak bill does become law, they may not have to do anything additional to protect consumers. Consumers are simply caught in the middle.

We’ll continue to keep you posted as the bill moves through congress. 

byJim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Follow me on Twitter:

 

Jim Malmberg has 8112 followers on Twitter

 

 

Follow ACCESS
Comments
Search
Only registered users can write comments!

3.25 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

 
Guard My Credit Polls
#1 - Why did you visit our site today?
 
.•*´¯☼ ♥ ♥ Your Support of These Links Is GREATLY Appreciated ♥ ♥ ☼¯´*•.
Advertisement
 
Go to top of page
Home | Contact Us |About Us | Privacy Policy
eXTReMe Tracker
12/23/2024 09:24:01