Policy needed for data breach response

The federal government should establish a basic policy that outlines how organizations respond to data breaches, some observers say.

The lack of consistent national requirements for data breach notifications has prompted more than 40 states to enact their own laws, which vary widely, said Lisa Sotto, head of the privacy and information management practice at law firm Hunton and Williams and an expert on privacy and data security.

“This is really creating a very complex situation when there is a breach, because there is very rarely a breach that affects residents of one state,” she said. “These variations make compliance extremely complex.”

Help might be on the way. Sen. Dianne Feinstein (D-Calif.) introduced a bill in January that would require federal agencies or businesses to notify people affected by a data breach. The measure is one of a series of bills introduced in recent years to address compromises of personal information.

Some privacy experts see the notification requirements in the recently signed stimulus legislation as a potential catalyst for broader federal legislation related to data breach notification. The stimulus bill’s measures cover only personal health information.

Pam Dixon, executive director of public research group World Privacy Forum, said the stimulus’ provisions were significant because they were the first recognition in federal law that the protection of data should go with the data itself.

Meanwhile, Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, said his organization supports a law for data breach notifications but feels the federal data breach law proposals so far have been watered down and could weaken state requirements.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.