Data Breach

Data Breach: Notify Consumers When Their Data Has Been Compromised

BSA Position

The US Congress should establish a federal law to replace the patchwork quilt of state data breach laws with a uniform national standard, requiring consumers to be notified when the security of their personal information has been compromised. This would significantly lessen the compliance difficulties experienced by businesses, but would also lessen confusion for consumers, who today receive a variety of notices under many different standards.

Background

According to the nonprofit consumer organization Privacy Rights Clearinghouse, the confidentiality of more than 260 million individual records containing sensitive personal information has been compromised in computer security breaches in the United States since January 2005.

Data breaches may occur as a result of theft or loss of computer tapes, hard drives, or laptop computers; the posting of such information online without proper precautions; or the “hacking” of computer systems by outsiders to gain access to such information. In the most serious incidents, consumers may have their identities and personal funds stolen as criminals use Social Security numbers or credit card account numbers to pose as the consumers. Businesses that suffer data breaches face potentially millions of dollars in costs for hiring forensic experts, notifying consumers, offering compensation, and rebuilding consumer trust.

More than 40 states have passed laws that require organizations to notify consumers when the security of their data has been breached. Some of these laws also require that the data be better protected, to prevent such breaches.

Differences among these states laws have created compliance burdens on the organizations subject to these laws. The US Congress has considered creating a single national framework for data breach notification, but differences of opinion and jurisdictional conflicts between congressional committees have until now prevented enactment of such a law.

Not all personal information is sensitive, and thus not all data breaches pose a threat. Consumers should be notified only when a breach creates a genuine risk of fraud or identity theft, so that they can take measures to protect themselves. Risk-based notification can also create an incentive for businesses to implement stronger data security. This can be done by explicitly providing that, if data is rendered unusable by widely accepted security measures, the breach does not create significant risks and does not require notification.

Security threats evolve extremely rapidly, and IT companies must be allowed to respond equally rapidly in creating and deploying new security measures. This level of speed and effectiveness would be compromised if the government mandated the use of specific technologies.

Some advocates have proposed allowing private lawsuits, in particular class-action lawsuits, as a means of deterring security breaches. However, this would lead to excessive litigation and might even deter organizations from notifying consumers of data breaches.

Action Needed

• Congress should create a single national framework for data security and data breach notification, requiring that consumers be notified when the security of their personal data has been compromised. Such legislation should include a risk-based mechanism that triggers notification based on common-sense criteria.
• Data breach legislation should not impose specific technology mandates.
• Data breach legislation must give state and federal authorities adequate authority and resources to enforce the law, and it should not encourage excessive litigation.

For More Information

• H.R. 2221, the Data Accountability and Trust Act and H.R. 1319, the Informed P2P User Act
  Robert Holleyman Testimony Before the Subcommittee on Commerce, Trade and Consumer Protection, 05/05/09
  Video: Data Privacy Hearing - Panel Prepared Testimony. 05/05/09
  Video: Data Privacy Hearing - Panel Questions, 05/05/09