While discussing the majority of our cases in class, a frequent question always revolved around whether or not customers should be notified of a data breach. If the new law that passed the House this week gets signed into law, this will no longer be an issue. Currently any laws requiring disclosure are made individually by the states. However, it is starting to look like this will no longer be the case. The law states that if there is a breach of security for any person who is involved in interstate commerce and electronically holds personal information of others that two things must take place:
- "notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and
- notify the Federal Trade Commission."
The law also places special consideration for information brokers. After a breach, information brokers will be required to submit their security policies along with the notification to the commission that a breach had occurred.
Ultimately, it appears that the legislation is trying to make information security an important topic for the people. It is obvious that data breaches are going to occur, and people need guidance about how to respond to these breaches. This law will help with that. A federal mandate requiring all those affected to be notified when a breach occurs will help ensure that people are aware when their information is at stake.
Source: http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376407,00.html
Posts
Hopefully, the intent of this legislation is to simplify the spiderweb patchwork of privacy and information security laws in the United States. Also, it will give some protection to those four states that still have no disclosure laws. Nevertheless, I have my doubts. Will these laws overwrite state laws? If so, there are bound to be areas that the law misses where state laws cover. This could further complicate regulations, making it difficult for smaller business to comply. Also, how certain do companies need to be that there was a data breach? In the past case studies that we have seen, it is very difficult to determine if and how much info was lost.
ReplyDeleteWhile I can understand that this law is making a move to trying to guide companies in the event of a situation, I think that the first part of the new law is a little bit ambiguous. It states that the company in question has to "notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security". So does this mean that customers should be notified if there are signs of a breach, even though there is no evidence that any customer information was touched (like in the iPremier case)? Or would companies be required to inform customers only if there is evidence that customer information was lost/stolen/the likes?
ReplyDeleteI do think that it is good that regulations for information security is being reviewed, but I do think that these laws are probably designed to be a little flexible, in order to give the companies in question some options; this is probably necessary because companies do have different priorities to try to balance, but at the same time, this always makes room for companies to make fatal mistakes that are not beneficial towards their stockholders. I'm not so sure how this law will affect the way that companies decide to address emergency issues, but I guess we will see soon.