More Data Breach Laws on the Horizon?
CSO has an interview with one of the authors of the Privacy Law Blog on what data breach legislation we may see in the near future.
Answer? None:
CSO: Some of these bills have been in process for more than one session of Congress. So what’s taking so long?
Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out . . .
There are a few big picture issues that will come into play. The first question is whether we will see federal or state legislation, and the effect of federal preemption, if any. The second is whether the law will provide for a private right of action (answer: most likely not - retailers and industry will push pretty hard against this). The third is whether the law will only require notification or other remedial measures.Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated--as it is in many states--with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out . . .
I would bet ultimately we'll have a federal statute that is pretty watered down and almost functions as a safe harbor (e.g., only requires notification and does not provide for a private cause of action). I'm torn on whether we should see a private cause of action. On the one hand, empowering only banks and regulatory authorities could result in anemic enforcement efforts that are not aligned with the interests of consumers. On the other hand, providing for a private cause of action could just open up a pandora's box of litigation (a la CAN-SPAM). CAN-SPAM enforcement provides a pretty good analogy and legislators will be wise to take a look at data points.
Comments