Another Breach Notification Bill Introduced

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/another-breach-notification-bill-introduced-a-8189

Privacy advocates in the Senate have unveiled a national data breach
notification bill that would allow states to keep their own laws if they
provide more stringent reporting and privacy protections than offered by
the federal government.

The Consumer Privacy Protection Act, introduced April 30, is sponsored by
Sen. Patrick Leahy of Vermont along with five other Democratic senators as
cosponsors: Al Franken of Minnesota;, Ed Markey and Elizabeth Warren, both
of Massachusetts; Richard Blumenthal of Connecticut; and Ron Wyden of
Oregon.

Although backed by a number of privacy and civil liberties group, business
organization would likely oppose the bill because it would not standardize
the reporting of data breaches. A major objection to the current regime is
that 51 states, territories and the District of Columbia have their own
laws with varying requirements that businesses contend make it burdensome
to comply with when a breach occurs.

"A federal standard cannot simply become a 48th standard that states can
add their own requirements atop," Elizabeth Hyman, executive vice president
for public advocacy at the technology trade group TechAmerica, told
Congress earlier this year. "Overlaying more regulations on top of the
existing patchwork of laws adds to the problem and does not help our
companies protect consumers."

Argument Against Preemption Offered

Other bills introduced in the current Congress would usurp state laws with
varying reporting and security requirements with a single federal law. "A
national data breach standard may make sense on one hand: having multiple,
inconsistent laws for when to notify consumers of a breach could be
difficult for companies to implement," said Alex Bradshaw, a fellow at the
think tank Center for Democracy and Technology. "However, consumer
protections would be significantly set back if the federal standard
preempts significantly stronger state laws, or stops states from responding
to emerging threats by passing new notification requirements."

Indeed, privacy advocates and leaders in states with laws containing
stringent cybersecurity requirements object to the other bills they see
protecting the security and privacy of their citizens. "Federal legislation
will only be helpful to consumers if it provides them with greater privacy
and security protection than they have today," said Susan Grant, director
of consumer protection and privacy at the Consumer Federal of America.
"Most of the bills that we have seen in Congress would actually weaken
existing consumer rights and the ability of state and federal agencies to
enforce them."

Massachusetts Assistant Attorney General Sara Cable testified last month at
a House hearing that about a dozen states, including Massachusetts,
prescribe how data containing personally identifiable information should be
secure. "Minimum data security standards are important and necessary, but
the proposed standards (in other bills) leave consumers' data vulnerable,"
Cable said.

Summary of Bill

Among the Consumer Privacy Protection Act's key provisions:

- Requires companies that store sensitive personal or financial information
on 10,000 customers or more to meet consumer privacy and data security
standards to keep this information safe, and notify the customer within 30
days of a breach.
- Establishes a broad definition of information that must be protected,
including Social Security numbers; financial account information; online
usernames and passwords; unique biometric data, including fingerprints;
information about a person's physical and mental health; information about
a person's geolocation; and access to private digital photographs and
videos.
- Compels companies to inform federal law enforcement of all large
breaches, as well as breaches that involved federal government databases or
law enforcement or national security personnel.
- Guarantees a federal baseline of strong consumer privacy protections for
all Americans by preempting weaker state laws, while leaving stronger state
laws in place.

"We must ensure consumers have strong protections on the federal level, but
in so doing, we must make sure Congress doesn't weaken state protections
that consumers rely on to keep their information safe," Blumenthal said.
"Importantly, this measure strikes the right balance between state rights
and strong federal enforcement and extends consumer privacy protections
into a new digital era."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!