Gary Palgon
Vice President, Product Management
nuBridges
We’ve had a close eye on D.C., as two retooled data breach notification bills have been wending their way through Congress. While we had our eye off the ball recently (guess we were lulled into thinking this newest round of legislation would go the way of the past several bills), on December 9th the House of Representatives passed, for the first time ever, a data breach notification bill. While that’s great news, we’re wondering that if the bill makes it through the Senate and becomes the law of the land, will it replace the patchwork of state laws – 45 as of today – that exist? Right now, breach alert mandates are handled at the state level. Will this legislation rationalize data protection legislation across the US? Doubtful, but more realistically it will provide a consistent baseline from which states, and companies looking to comply with data protection notification laws, can use as a starting point.
The Data Accountability and Trust Act (DATA) will indeed standardize data protection across the US at a Federal level. It requires companies, defined as data brokers, that hold sensitive personal information – everything from Social Security numbers to driver’s license numbers to credit card information -- to secure that data and provide notice to affected consumers that their data has been compromised. What’s more, the bill allows consumers to have access to files about them and request that errors be corrected.
The bill directs the Federal Trade Commission (FTC) to create rules for destroying obsolete non-electronic data in addition to requiring data brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. If a breach does occur, the FTC is ordered to conduct a security audit of the data broker.
As with many state laws, the DATA has a safe harbor provision. According to the legislation, data encryption establishes a presumption that no reasonable risk of identity theft, fraud or other unlawful conduct exists following a data breach. Here’s the actual language of the legislation relating to data encryption:
“…Encryption – The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been, or is reasonably likely to be compromised…”
It’s not great news that it takes Federal legislation to push companies along to protect consumer data in the first place, but I’m hopeful that a Federal law will lead to making data protection easier for all of us – what do you think?
Best wishes for a happy holiday,
Gary
PS...nuBridges can help you take advantage of “safe harbors” and minimize the risk of a breach. nuBridges Protect™ is an integrated encryption, tokenization, key management and audit logging solution that is already proven in business-critical production environments – for example, it encrypts billions of credit card numbers every day around the world.
Recent Comments