New Privacy Legislation Takes Shape

Will President Obama finally rationalize the 47 different state laws governing data breaches?  The President says he will introduce legislation to create a single national standard designed to protect Americans from identity theft.

In the wake of breaches affecting Sony, Target, and Home Depot, just to name a few, data breaches seem inevitable these days. 47 states have their own laws which specify when and how the breach of personal information must be disclosed to affected individuals. These laws can greatly differ. Any company collecting personal information should have a breach notification plan in place so it is not scrambling to read and interpret numerous laws after a breach (which is already an anxiety-producing situation). Most states say the notice to individuals (and sometimes state attorney generals and credit reporting agencies) must be provided expediently or as quickly as possible. Some states, such as Florida, say the notice must be sent within 45 days. However, there is an important caveat. Many states recognize the need for companies to take time to determine the scope of the breach, implement steps to stop the breach, and coordinate with law enforcement. In my experience, this becomes a careful balancing act. Companies want to notify their consumers as soon as possible, but it takes time to conduct the computer forensics necessary to determine who is affected and what information was compromised.  In addition, no one wants to hinder a police or other investigation if there is a chance of catching the hacker and learning even more about the breach as a result.

The President proposes that companies notify consumers of a breach within 30 days, regardless of what their state laws require.  It's not clear whether the important caveats for breach investigation will remain in place.

The President also hopes to enact federal legislation governing consumer privacy.  Various congress members have made efforts in this area over the years, but there is no single federal privacy law in the U.S.  For the most part, consumer privacy in the U.S. is governed by a patchwork of sector-specific federal laws, state laws, case precedent, and industry practices.  The President wants to cut through some of that confusion and enact a Consumer Privacy Bill of Rights.  The Bill of Rights would give consumers the right to decide what personal information is collected and how it will be used, shared, and stored.  Most of us have no doubt entered information online, and maybe even clicked an "I agree" box, without actually reviewing the site's privacy policy to analyze how our information will be used.  The President wants to ensure that consumers have some basic and uniform privacy protections across different industries, even if we don't know all of the applicable laws and read the privacy policies. We will continue to monitor these proposals and keep you informed on any new developments. For more information or assistance with privacy and data security, please contact the author, Donna Balaguer, Principal, CIPP/US, 202-626-7719.