Businesses and government agencies would have to notify consumers under certain circumstances of data breaches under legislation introduced by U.S. Sen. Dianne Feinstein (D-Calif).
On the face of it, the Notification of Risk to Personal Data Act would require data breach notifications to individuals without an “unreasonable delay,” but exemptions in the legislation are broad.
Businesses, for instance, would be allowed to make a “risk assessment” of a data breach and only notify consumers if there is “significant” risk of harm. In addition, financial institutions are not required to notify consumers of a breach if the breach does not result in a financial loss, even if the data breached includes a PIN number of other personally identifiable information.
Law enforcement agencies would be not required to notify consumers of a breach if the agency decides the notification would jeopardize an investigation or national security.
In addition, the bill pre-empts state data breach notification laws, many of which contain tougher language than Feinstein’s bill.
“Should there even be a risk assessment? Should the business get to decide who is at risk?” Gail Hillebrand, a senior attorney at the Consumers Union told internetnews.com. “Particularly with bank accounts, debit cards and credit cards, I want to know if there is a breach. They don’t even have to tell you about it.”
The bill is a revival of legislation Feinstein introduced in the 109th Congress. It passed the Senate Judiciary Committee as part of larger package of data breach bills, but the legislation never made it to a full vote of the Senate.
“It’s critical that victims of a security breach are informed promptly when their personal or financial information has been compromised,” Feinstein said in a statement. “Individuals cannot take the appropriate steps to protect themselves if they are not armed with detailed information about the breach. Without that knowledge, individuals are left defenseless to identity thieves.”
Since the now infamous ChoicePoint data breach two years ago, lawmakers have introduced bills to notify consumers of a breach, but no national laws have been enacted.
In the interim, the Privacy Rights Clearinghouse has documented data security breaches involving more than 100 million records. It’s a lengthy list, including Bank of America, LexisNexis, DSW, MCI, Ameritrade, Time Warner, Boeing, Ford Motor Company, Verizon, MasterCard, Wells Fargo, the American Red Cross, as well as colleges and government agencies.
Businesses have objected to blanket notification laws including alienating consumers by sending out numerous notifications, particularly if the risk of ID theft is low. “I’ve never had one of our members object to getting too many notices,” Hillebrand said.