Craig Hoffman of BakerHostetler offers his thoughts about proposed legislation on Data Privacy Monitor.
Here’s one example of what Craig thinks needs to be clarified in any bill:
Owner/Licensor. Most state laws require the “owner” of the “personal information” that was stolen to notify the affected individual, while a “licensor” or “processor” of the data is required to notify the “owner” which in turn is required to notify the individuals. The dichotomy of “owners” versus “licensors” and “processors” does not neatly apply to how data is collected and used. Payment cards provide a good example. Banks that issue the cards often assert that they are the owner of the card data. When a card is swiped at a retailer, many retailers only use the data from the magnetic stripe to gain authorization for the transaction (and they do not store that data). If payment card data is stolen while it is being routed through the retailer’s system to its processor, it’s hard to view the retailer as the “owner.” If not, then is the retailer supposed to notify the issuing bank who would then notify the cardholder?
Good question.
The exemption for federally regulated entities like banks needs removed. The federal regs are very weak on requiring disclosures.
A mandatory maximum time for disclosing despite law enforcement needs set. I am aware of companies that asked LE if they should delay disclosures. LE will never say no and the request was just to delay disclosures.
Mandatory disclosure to the state AG needs to happen for all breaches in excess of ten records and the AG needs to publicly display all of them. Ten records is the threshold for Fannie Mae breaches so it is not onerous.
All losses in any channel, not just electronic, need disclosed.
We agree. I had outlined my preliminary concerns about the proposal here, but since writing that, have seen other concerns. Thanks for adding your thoughts.