Most businesses are already required by state law to notify affected people after a data breach, but a new proposed data breach notification law in Congress could make compliance easier and less complicated.
The Data Security and Breach Notification Act of 2012, introduced by Senator Pat Toomey (R-Pa.) and sponsored by four other Republican senators, would consolidate several differing state data breach notification laws that require businesses to tell affected individuals that their sensitive information is stolen.
Right now 46 states, plus Washington, DC, Puerto Rico and the Virgin Islands, all have their own data breach notification laws. Many of those states have rules that are more strict than what the new bill proposes. While it would make compliance easier for businesses in many cases, some critics have argued that the proposal lacks teeth.
If passed, the Data Security and Breach Notification Act would require companies to take “reasonable measures” to protect data, and require them to notify affected individuals after a breach of certain types of data, including Social Security numbers, driver’s licence numbers, credit and debit card numbers, and other financial account information.
Notifications would need to be made by email, telephone or on paper and would have to include the date the breach occurred, what data was stolen, and how to contact the organization for more information.
However, if information is “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable” when it is stolen, the incident wouldn’t be considered a data breach. But some tech experts have pointed out that no amount of encryption will ever guarantee that criminals can’t access data.
The bill also leaves a lot of wiggle room for companies to decide when to send out notifications. In fact, it doesn’t include a set time frame at all, instead requiring notifications to be made “as expeditiously as practicable and without unreasonable delay.”
Several attempts have been made previously to create a national data breach notification law. We’ll keep you posted on this most recent proposal.