Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Proposed data breach notification bill criticized as too weak

Grant Gross | March 19, 2015
Proposed legislation that would require U.S. businesses to notify affected customers after data breaches is too weak because it would preempt stronger breach notification laws in several states and it wouldn't cover several classes of data, including geolocation and health information, critics told lawmakers.

The push for a national law received a boost in January, when President Barack Obama voiced support for legislation.

While several lawmakers called on Congress to move forward with a bill, just one of seven witnesses at Wednesday's hearing voiced support for the draft bill as written. The draft bill goes beyond breach notification by including "substantive" data security requirements,

said Jon Leibowitz, co-chairman of the 21st Century Privacy Coalition, an advocacy group supported by large telecom and cable firms.

By replacing the "ever-changing patchwork" of state laws, the bill would give consumers certainty that they're protected in data breaches, added Leibowitz, a former FTC chairman. "Consumers in every part of the country are entitled to the same robust protections, and companies are entitled to a logical and coherent compliance regime," he said.

Leibowitz also praised the bill for putting enforcement in the hands of the FTC. "This bill is better for consumers than current law," he added.

Representatives of the National Retail Federation and the Information Technology Industry Council [ITI] raised concerns about parts of the draft bill, however. ITI supports a move toward federal data breach notification, but the bill could lead to too much notification because it requires breached businesses to send out notices for "economic harm," which could be broadly defined, said Yael Weinman, vice president for global privacy policy at the tech trade group.

The bill allows the FTC to levy fines of up to US $2.5 million for each violation of its data security rules and $2.5 million for failing to provide notice to consumers. "These amounts appear punitive, and do not seem to reflect that an organization that suffered a data breach, in most cases, is a victim itself of criminal hackers," Weinman said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.