Five Things to Watch for in a National Breach Notification Law

High-profile data breaches are back in the headlines as businesses—including many in the communications sector—fall prey to a growing number of cyberattacks. So far this year, 251 public notifications of data breaches have been reported according to the Privacy Rights Clearinghouse.

The latest attack comes on the heels of the Obama administration’s recent proposal to replace conflicting state laws with a uniform standard. The idea is not a new one—national breach notification legislation has been in discussion on Capitol Hill since 2007. With the addition of the White House proposal, three data breach notification bills are now under consideration. But rather than waiting for passage of a new law, communications companies and businesses in general should be aware of the issues and take steps to prepare.

Replacing 48 laws with one
Currently, notification standards differ on a state-by-state basis: 46 states, plus the District of Columbia and Puerto Rico each enforce their own standards.

The many varying laws make compliance confusing and expensive. While getting to a single standard sounds like a good idea, finding a single solution becomes difficult when there are 48 different laws to reconcile. The challenge is to craft a uniform national law that preempts state laws, while providing adequate consumer protection.

Five things to look for in a National Breach Notification Law
Passing a single law will be an uphill battle. In the meantime, these are some of the issues that will need to be resolved before a national breach standard can be enacted:

  • What types of personal information should be protected?
  • First and last name + other info (e.g. bank account number)
  • What should be classified as “personal” information?
  • Email addresses and user names
  • Health and medical information (California now includes this)
  • What qualifies as a breach and what are the triggers for notification?
  • What information should be included in a breach notice?
  • How soon after a breach should notification be sent?
    • Some states require notices be sent within a set number of days, others ASAP.

Potential penalties
What could happen if a company doesn’t comply with the proposed laws? Under the White House bill, fines would be limited to $1,000/day, with a $1 million cap. The two bills in House would impose penalties of $11,000/day, maxing out at $5 million.

How to prepare before a national standard is passed
Although the timing for passage is uncertain, communications companies need not wait for a national law to pass before taking action. Put a plan in place instead of sorting through 48 different laws.

Preparation can be as simple as making a phone call to your Experian rep about our data breach protection services. Having managed over 2,300 data breach events, Experian can help you effectively mitigate loss.

In addition to following updates on this page, you can also stay informed about the progress of pending data breach legislation by following the Data Breach Blog.

Share your thoughts and concerns on the current proposals by leaving a comment.

For further reading on this subject: