Friday, July 24, 2009

Will the Third Try be a Charm for Federal Breach Notification Law?

The following article was in today's privacy bulletin. Since the first state breach notification law went into effect in 2003 in California, 43 other states have enacted their own versions creating a worthwhile but patched together set of regulations that are at best vague, and contain huge lapses so that a company experiencing a breach can likely get away without any sort of notification to potential victims. Hopefully this legislation will contain enough bite to be effective. Only when we see transcripts of the bill will we know if we are headed in the right direction or for another legislative compromise. Thresholds for notification need to include not only electronic breaches and large scale hacks of computer servers, but also theft and misuse of paper records, and need to provide for smaller incidents. Only by creating effective notification laws can businesses be held accountable to the public who expect their information to be reasonably safe.

Vermont Senator Patrick Leahy (D) has reintroduced the Personal Data Privacy and Security Act, the third attempt by Congress to pass a federal data breach law that would pre-empt the 44 individual state data breach laws and create a single response and notification standard in the U.S. InternetNews reports that in a statement, Leahy said the bill addresses serious consumer privacy and data security issues and vowed that, "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as chairman of the Judiciary Committee."Full Story