Data breaches are increasing but so are proposals to combat them. The picture is not all that sad on the data security front although everyday we are reading news about data thefts and laptop thefts. It is like in any typical happy ending movie where good people fight the bad people, where the brave won over the evil! Similarly, the more laptop thieves and data hackers we have, the more senators and data security experts there are to stop data from getting breached.
This time Senator Toomey plays the part of the Hero and let us hope he wins at the end.
Sen. Toomey introduces the Data Security and Breach Notification Act (S. 3333). This bill will preempt 46 state data breach laws and replace them with a national standard. Let us hope this bill gets passed.
This bill will set national standards on how companies should inform consumers about data breaches when it relates to personal information.
The bill states:
The act directs corporations, trusts, cooperatives and similar entities that retain personal information to inform the owners of that information of a breach as quickly as possible. The breached entities have to inform the owners of the breached information on the date it was accessed, the information that was stolen and how to contact the breached entity for more information. The notification can be by telephone, email or on paper.
The bill further states that the organization will be required to notify the FBI or the US Secret Service. Law enforcement agencies can request, in writing, that the organization delay notification if doing so might compromise a criminal investigation or have an impact on national security.
More about the bill – People will be notified by telephone, email or on paper. They would have to be told when the breach occurred and what information was compromised. The legislation cites specific examples of such personal data, including Social Security numbers, driver’s license numbers, and bank and credit card account numbers.
The downside of the bill:
There is no specific period for actually sending out these notifications. That is what the consumers are worried about, they feel that companies learn about breaches but do not inform consumers immediately. The states do have notification laws but not sans loopholes.
There are strict data breach laws already in place like in the State of Connecticut. This bill appears weak in comparison. Connecticut–a state that is “in the forefront in protecting the personal information of its residents”–now requires a data breach notification to be made whenever there is a “breach of security.” The state’s data breach notification law defines such a breach as the “unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.”
Let the Bills do their work, Let Alertsec do its own – that of data encryption