Is it time for a national data breach notification law?

Federal lawmakers are again considering legislation that would create nationwide rules for notifying potential victims of identify theft when organizations improperly expose their sensitive information.

The Senate Judiciary Committee approved two bills this month that would impose data breach notification requirements on businesses, and a bill with notification requirements is making its way through the House.

It’s not the first time lawmakers have pushed for such federal requirements. However, previous efforts stalled in the legislative process. In the absence of federal requirements, most states have promulgated their own laws, creating a complicated legal patchwork.

Gail Hillebrand, senior attorney at the West Coast Office of Consumers Union, a nonprofit organization that publishes Consumer Reports, said some states have requirements that are more stringent than the ones that Congress is proposing. Hillebrand said consumers are already receiving proper notifications from businesses and that companies tend to follow the requirements of the state with the highest standards when there is a breach that affects people nationwide.

She said it was a positive sign that the bill proposed by Sen. Patrick Leahy (D-Vt.) dealt with data brokers, or businesses that get paid for collecting, transmitting or providing sensitive personal data.

Hillebrand said her group supports both bills that recently made it through the Senate Judiciary Committee and supports the notice of breach approach in the House bill. However, for the House measure, the group has concerns about the scope of the pre-emption of state laws that address data safeguards.

Meanwhile, Enrique Salem, CEO of Symantec, said in an e-mail that the Leahy bill was “a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur.” Salem said Symantec believes the United States urgently needs to pass a national data breach law.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Tue, Dec 1, 2009 Thom VanHorn - AppSecInc.com

This legislation is absolutely a move in the right direction. Potential victims of a data breach need to be notified as soon as possible after the incident is discovered. However, this legislation is akin to closing the barn door after the horse has escaped. The legislation that is truly needed woul put in place well defined mandatory parameters for the protection of sensitive and personal information. It's time to get proactive rather than reactive!

Thu, Nov 19, 2009 Robin White Austin, TX

Because of the fact that it so often involves interstate commerce, a federal law is badly needed; because our borders are porous, at least with regard to the internet, a uniform international agreement is also badly needed.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above