IS THE PROPOSED NATIONAL DATA BREACH NOTIFICATION LAW GOOD ENOUGH?

President Obama recently proposed a national data breach notification law to lawmakers.  Is the proposed federal data breach notification law good enough for consumers?   The proposed law was sent to Congress on May 12 and if it is passed, the law would preempt existing state breach notification laws.   Currently, 46 states have breach notification laws, in addition to the District of Columbia, Puerto Rico and the Virgin Islands.

Under the new cyber security law, the Federal Trade Commission and state attorneys general would be responsible for enforcement of the new law.   The proposed law includes civil penalties for violations up to $1 million. 

How does the proposed law differ from the state breach notification laws?  First, the proposed law expands the definition of personal identifying information (PII).  For example, the proposed law’s definition of PII includes biometric data such as a fingerprint, voice print, or a retina or iris image.  This is a plus for consumers who may have had their PII compromised but under limited state law, the PII did not meet the definition.  As a result, the corporation would not be responsible to give notice of the breach. 

Next, the proposed law gives companies a uniform or standardized law.  As a result, it will be easier for corporate America to develop polices and procedures to be 50 state compliant with the federal breach notification law.  

While this is a start, it may not be enough to impede the recent surge in data breaches.  However, consumers should be optimistic that the current administration is taking on corporate America and recognizes the risk of identity theft that can arise as a result of a data breach.