Trade groups send letter with data security priorities to Senate

Seen on NACS:

Last Friday, NACS and a group including eight other trade associations sent a letter to every U.S. Senator articulating the priorities of the associations in the context of data breach or data security legislation. The Senate has indicated that it might consider cybersecurity information-sharing legislation on the floor this coming week and if so, that may become an opportunity for Senators to try to amend the legislation with provisions relating to data breach and data security.

Read more on NACS.

The letter identifies three principles. The first is that

every business should have an obligation to notify consumers when it suffers a breach of sensitive personal information that creates a risk of financial harm.

No exceptions by sector, and no kicking the responsibility to another business, the group argues. That would be fine with me, except that the standard is risk of financial harm, and as readers of this site know, I am militantly opposed to notification laws that only address financial harm when there are other significant risks and harms possible.

The second principle is that they want one federal law that pre-empts the existing patchwork of laws. That would be fine if the federal law were stronger than the existing strongest law, but it’s not okay if the federal law pre-empts stronger state laws – as state attorneys general have already pointed out.

The third principle is that they do not want a “laundry list” of specific security requirements, as businesses vary in their size and scope. They want a reasonableness standard. Ironically, perhaps, this is exactly what the Federal Trade Commission has argued it needs and provides – and exactly what some businesses, like Wyndham and LabMD, have challenged the FTC about – the failure to provide specific notice as to what’s expected.

The organizations that signed the letter are: