07-07-14 | Blog Post
The National Consumer League released a study last week based on surveys from identity fraud victims across the United States. It claims that just 28 percent of victims think the government’s requirements for protecting healthcare and financial data are sufficient.
“In this polarized political climate, it’s rare for Americans to express such agreement on any issue,” Al Pascual, a senior analyst at Javelin Strategy & Research, said in a press release. Javelin was a partner in the study. “But when it comes to the security of their personally identifiable information, the respondents said with one voice that the government must do more.”
With that kind of support, government action is assured. Right? Well, not so fast.
Let’s back up a few weeks to a significant political occurrence: Eric Cantor, the Majority Leader in the House, losing his Virginia primary to Dave Brat. In the words of political pundits – which we certainly do not claim to be – voting the No. 2-ranking Republican out of office is a sign of continued political gridlock. (Just Google ‘Cantor loss gridlock’ and read multitude of headlines.)
So what’s the tie-in to data breaches? An article by Eric Chabrow on BankInfoSecurity.com titled Cantor’s Defeat: Impact on Breach Law.
Chabrow, the executive director of GovInfoSecurity.com and InfoRiskToday.com, had this to say about the election result:
The rout of the No. 2 Republican in the House – Cantor lost by 11 percentage points – makes other lawmakers timid to act on nearly any bipartisan bill, even on what many would consider common-sense legislation. It’s a toxic atmosphere in Congress, which explains why a data breach notification measure and other cybersecurity reforms can’t get passed and sent to the Oval Office for President Obama’s signature. The current Congress is on the way to enact fewer laws than any since the 1940s.
Another obstacle: Getting lawmakers to agree on the bill’s language. There may be widespread agreement on a need for a national data breach notification law, but not necessarily on its provisions. Plus, business lobbyists likely will try to water down data breach legislation provisions to make them less onerous, and in turn help businesses save money. If those lobbyists succeed, support among consumer advocates in Congress for a national law could evaporate.
So if there’s little hope for a national law any time soon, at least state governments are taking action.
Just last month, Kentucky became the latest state to enact a data breach notification law that requires companies to provide notice to Kentucky citizens when a security breach involving personal data occurs. That leaves Alabama, New Mexico and South Dakota as the only states without notification laws. (The District of Columbia, Guam, Puerto Rico and the Virgin Islands are also on board).
Elsewhere, states that already had security breach notification laws are getting tougher. On July 1, a new Information Security Act took effect in Florida that repeals the state’s previous data breach notification law and increases companies’ reporting obligations and liability in the event of a data security breach. (Notable is the fact that Florida has more identification theft complaints per capita than any other state in the nation.)
But back to Chabrow, who argues different rules in different states isn’t the best solution.
… States, for instance, differ on the amount of days before organizations notify consumers their accounts might have been breached. Different rules for different states make it tough for businesses operating nationally because they must adhere to 47 different state statutes.
“The nuances of breach notification laws across the country … further complicate responding to multi-state breaches,” says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J. “Companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.”
Creating uniform national requirements for data breach notification through federal legislation would seem to be a no brainer that business would back. In fact, lawmakers have introduced nine bills in this Congress that address data breach notification, according to a congressional database. But don’t count on Congress to pass any of them. Cantor’s defeat for the Republican nomination for the House seat in his Richmond, Va.-area district exacerbates the situation.
Cantor’s defeat: Impact on breach law
Florida overhauls data breach notification law
Commonwealth of Kentucky enacts data breach notification law
RELATED CONTENT:
OCR audit requirements following a self-reported HIPAA breach