Tony Romm writes:
Congress failed to pass a new federal law last year requiring the litany of companies affected by data breaches — from gaming giant Sony to shoe e-tailer Zappos — to notify consumers. But now some lawmakers believe they have a new route for passage: the Senate’s upcoming cybersecurity reform bill.
Read more on Politico.
There have been a slew of proposals over the past five years but none of the proposals have really been satisfactory and as I noted earlier this week in commenting on Senator Feinstein’s proposal, there is great concern that a weak federal law that preempts stronger state laws will do more harm than good.
If a federal proposal or amendment were put forth that mirrored a strong state law, I expect it would get a lot of support from the public and that some businesses would even get behind it because what they might lose by having more stringent requirements would be offset by what they’d gain in not having so many individual state laws to comply with. A strong federal breach notification law could also reduce the chaos that has sometimes resulted from various carve-outs. I’ve said this ad nauseum but Congress has failed to get the message: it doesn’t matter what type of entity was in stewardship of the data: if certain types of information are compromised, the entity should have to notify the individual.
Trying to slide through a breach notification law as an amendment to a cybersecurity reform bill almost guarantees that any amendment will be for a weak breach notification standard. We need to remain alert and let Congress know that that is NOT acceptable.