Last week, the House passed the Data Accountability and Trust Act bill that would provide a law for notifying potential victims of identity theft whenever their electronically stored personal information is exposed. It’s now on to the Senate for their review and vote. If it does pass through the Senate, it will have implications across the entire country. Over the past five years, however, other bills have crossed the House and Senate floors, but none have made it into law. This nationally scoped bill would preempt any state laws currently on the books and be the first of its kind. Right now there are 45 states with data breach laws on the books.
The Data Accountability and Trust Act starts off all well and good requiring organizations to report data breaches to any personal information that has been lost or stolen. The fact that the regulation is national also means less confusion and greater adherence to a common set of activities for handling data breaches.
I fear that this bill, like the others before it, is going to get bogged down in the Senate and may not see the light of day. There are a couple of reasons why. First, there are two other data breach notification laws (S1490 and S139) that have cleared the Senate and have moved over to the House for review. The second concern with the Data Accountability and Trust Act is that it would be enforced by the FTC which can only enforce the law for entities that it has jurisdiction over. That leaves a lot of companies and government organizations not under its control. This tells me that we’ll see some gaps in coverage and miss a lot of breaches.
The last concern with this bill is that it states that “Breaches would not have to be reported if the organization has determined that “there is no reasonable risk of identity theft, fraud, or other unlawful conduct,” the bill states. Also, the bill provides an exemption if the breached information was encrypted or protected by any other technologies that the FTC identifies would render data unreadable.” Again, a lot of room for interpretation of what constitutes a data breach.
There is no question in my mind that a national data breach policy would be the best approach. But, the reason so many states have their own data breach laws is because the federal government has been too slow to address the problem at hand. And then when we do have a federal bill, it often lacks teeth behind it needed to really put a dent in data breaches. Organizations should take a proactive approach to managing and protecting their data and achieving compliance through greater security measures.
