U.S. Senator Pat Toomey (R-Pa.) introduced a bill Thursday to create a national standard requiring companies to protect and secure consumers’ electronic data.
Companies must currently comply with 46 different state laws in the event of a data breach. Sen. Toomey’s bill would preempt these laws and replace them with a single national standard, providing better protections and swifter responses for consumers.
In the event of a data breach, the bill would direct companies possessing personal data to notify consumers by mail, email or telephone if their information is stolen.
[…]
Source: Senator Pat Toomey
A copy of the bill’s text was posted by The Hill yesterday. And right off the top, one needs to question the low standard on data security the bill would set:
Each covered entity shall take reasonable measures to protect and secure data in electronic form containing personal information.
What’s “reasonable?” Although we don’t want a bill that would need revision every time new security measures become available, is it really “reasonable” in today’s world to consider unsalted MD5 “reasonable” security? How should a data security requirement be written to set the right standard without getting into specific methods?
While the security requirement strikes me as too lax or vague, the trigger to notification is too stringent, as the bill sets a dual requirement to trigger notification: the data must be acquired and accessed AND the covered entity must reasonably believe the the acquisition has caused or will cause harm, defined as identity theft or other financial harm.
So that’s where I pretty much lost interest in this bill as it would trump state laws that are much more protective of individuals. This bill might benefit businesses, but it certainly doesn’t help consumers who live in states with strong laws.