As could be expected after the Sony Pictures data breach, The White House is again sponsoring a national data breach notification law. Previous attempts to pass legislation have not be successful at the national level. This time, increased visibility of the impact to individuals is creating momentum for discussion on suitable notification requirements.
Currently 47 states have some type of data breach notification law. Three states do not have a law – New Mexico, Alabama and South Dakota. The existing 47 laws vary in what they cover and the timing stipulations. Notifications range from 5 days to 45 days. President Obama’s recommendation for a national law would standardize notification timing as well as the required communications after breaches, regardless of where the business is located and where the individual resides.
Consistency would streamline the notification process for national companies that suffer a breach and ideally make it easier for consumers to understand what the impact to them might be.
Critics of the proposed law are concerned about the current vagueness of some of the requirements of the law. Privacy issues are also a concern. Some large businesses are worried that the proposed 30 day notification is too short for them to fully analyze the breach details and therefore determine what notifications are appropriate.
Highlights of the Proposed Law
- Notifications will be required within 30 days of a data breach discovery.
- Personal Indentifiable Information (referred to as PII) will be the trigger. PII is generally defined as any information that can by itself or in conjunction with other information, identify a specific individual. This proposed law is comprehensive in its definition of identification. The data does not need to be connected to a person’s name to be considered as identifiable. For example, a credit card number is enough to trigger a notification. Other examples of key data triggers for notification include:
- Social Security Number.
- Driver’s License number.
- Bank account, credit card number, debit card number.
- Passport number, alien registration number or other government-issued unique identification number.
- Unique biometric data such as a finger print.
- User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
- A data breach can be the unauthorized access to or acquisition of sensitive personally identifiable information.
- The notification is required regardless who “owns” or “uses” the data. If a breach occurs at a third party who is licensed to use the data, that entity will be required to comply with the breach law.
- Under the proposed bill, both state Attorney Generals and the Federal Trade Commission would have enforcement powers.
What Your Business Can Do
You should think about how you will respond within 30 days to a data breach. Who do you need to contact and what are the logistics to communication to your customers? What is your back up plan while you get your system back in operation? One interesting tactic Sony Pictures used was to reestablish use of former Blackberry devices for executives while the company hardened its network
Identify who your legal representatives and your PR team will be. If you have a game plan ready in advance, you will diminish the negative impacts of breach notifications.