National Data Breach Notification Laws Getting Closer

Political momentum is building for a nationalized approach to data breach notification.  I think it's just a question of "when" this will become the law of the land.

Here's a quick summary of the laws under consideration:

The U.S. Senate Judiciary Committee recently approved two bills that would require organizations with data breaches to report them to potential victims.

The first bill is called the Data Breach Notification Act and is sponsored by Senator Dianne Feinstein of California.  It would require U.S. agencies and businesses that engage in interstate commerce to report data breaches to victims whose personal information "has been, or is reasonably believed to have been, accessed, or acquired."  Feinstein's bill would also require agencies and businesses to report large data breaches to the U.S. Secret Service

The second bill, S. 1490, is sponsored by Senator Patrick Leahy of Vermont.  It would also require the U.S. government to establish rules protecting privacy and security when it uses information from commercial data brokers.

The Bottom Line:

The stakes are getting higher for keeping customer information safe from cyber criminals.  Depending on your business, appearing on a national breach notification list can be a major blow to your brand.  Take your pick...financial institutions, restaurants, retailers, consulting firms..get on that list and you'll lose customers...and maybe even your business. 

Note to IT Managers:  As you finalize budgets for next year, make sure that enough resources are allocated to a defense in depth approach to security.  Consider the pending legislation just another reason to strengthen your defenses against all threat vectors.  Take a critical look at your infrastructure and then seek partnerships and managed security solutions where it makes sense. 

Helpful Links:

S. 139 Data Breach Notification Act
S. 1490:Personal Data Privacy and Security Act of 2009