On January 12, 2015 the White House announced its intention to press for new legislation that would increase consumers’ protection on the web. The Personal Data Notification & Protection Act is intended to “clarif[y] and strengthen[] the obligations companies have to notify customers when their personal information has been exposed . . . .” Specifically, the proposed legislation would require businesses to either inform individuals “without unreasonable delay” or exercise an alternative provision allowing a company to avoid consumer disclosure if it investigated a breach and determined “there is no reasonable risk” that people will be negatively impacted, provided the rationale and results of the report are given to the Federal Trade Commission (FTC). Additionally, the FTC would have enforcement authority under the proposed law. Finally, the move would criminalize the international sale of data illicitly taken.

This move arrives as unauthorized data access becomes disturbingly more common. According to the Identity Theft Resource Center, the number of data breaches in the United States rose 27.5 percent from 2013 to 2014, with 42.5 percent of the 2014 breaches occurring in the Medical/Healthcare sector. The two main causes of breaches were “[h]acking” and “breaches involving Subcontractor/Third Party” at 29.0 percent and 15.1 percent, respectively. Moreover, Cisco Systems, Inc. indicates that nearly three-fourths “of IT professionals believe the use of unauthorized programs” was the cause of up to 50 percent of unauthorized data releases.

Currently, forty-seven states have legislation on the books involving organizations’ obligation to inform people if “personally identifiable information” may have been accessed. Having one standard federal law instead of a series of idiosyncratic state laws may make consumer notification efforts occur more efficiently. Moreover, federal efforts to enter this regulatory niche are not new; the House of Representatives produced four bills on this subject matter between 2013 and 2015, while the Senate produced two bills. However, they failed to gain much traction. Furthermore, there is some concern that for a portion of states, a federal law would reduce protections. One editorial notes that North Carolina possesses a particularly stringent notification law, compelling a business to adopt immediate disclosure to customers after a breach, “unless law enforcement officials feel that disclosure would get in the way of their investigation.”

While President Obama will likely elucidate the executive’s vision for the proposed law during the State of the Union address, it remains to be seen what a final bill would look like after a committee markup process. While many states have previously passed legislation in this arena, it is nevertheless encouraging that national leaders demonstrate recognition towards the importance of customer communication regarding data leaks that could hurt those individuals.

Matthew Gaske

Comments are closed.