Earlier this year, President Obama proposed to roll more than 47 State laws into one National standard with the proposed Data Security and Breach Notification Act of 2015, previously introduced by Obama as the Personal Data Notification & Protection Act. As Obama noted, “almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws.”
The legislation would require organizations to notify consumers of a breach within 30 days and would make it possible to pursue criminals who steal and sell identities overseas. There has been a great deal of criticism for this legislation, however, calling it a “weak national law,” one which would not cover a wide enough range of sensitive data and requires guesswork as to “possible financial harm.”
While the premise behind a unified Federal data breach notification law has merits, it looks like in practice that it will not ease the compliance burden for organizations just yet. Some States want to retain their ability to investigate data security practices and enforce the Federal law at the State level. Others posit that not all States will welcome a Federal law that is not as specific or exacting as their existing State law.
“It goes with the popular refrain that more privacy is always a good thing. If you eliminate a more stringent privacy protection, that could be seen as privacy reduction for consumers,” notes Reece Hirsch, Morgan Lewis partner.
In California, privacy and consumer groups argue that victims of breach should not be stripped of their right to sue. Given the ambiguity of the proposed Federal notification law, the Anthem breach may not have been reported, since Anthem could have argued a lack of “reasonable risk” for identity theft or economic harm, which would have left consumers in the dark about the loss of their names, addresses, birth dates and Social Security numbers.
The proposed legislation would leave it up to organizations to determine their own idea of “reasonable risk” as well as the “reasonable security measures” put in place to protect sensitive information. Given the increased regulatory pressure we’ve been seeing from other governing bodies, such as the OCR for HIPAA, the SEC and the FCC, it may be that we’ll see an increase in compliance pressures from outside the government.
Rather than wait for new regulations, your organization can proactively improve security now. This security, whether required by law or not, can help prevent costly data breaches over the next 2-3 years. Contact us to learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate the ever-increasing data security risks.