The vast majority of U.S. states have laws on the books requiring companies to immediately notify customers and law enforcement whenever a significant data breach or data loss incident takes place.
But as eSecurity Planet reports, the time has come for for the federal government to take a more aggressive, proactive approach to legislation that would help victims and intended victims before it’s too late.
At the federal level, US Senator Patrick Leahy, D-Vt., has been trying to pass a federal data encryption law since 2005.
In November, Leahy’s bill, with bipartisan support, advanced out of the Senate Judiciary Committee.
If Leahy’s bill passes in its current form, it would override state laws and become the new national standard.
Forty-eight of the 55 US states and territories have some form of data breach law on the books. Most of them require companies to simply notify their customers if their data has been stolen and possibly sold to an online criminal gang in Eastern Europe.
The problem with that approach to regulating security is that it’s reactionary. By the time you get the letter in the mail, it’s already too late.
But that’s all changing now. New data encryption laws, and not just breach notification laws, are now making their way through state legislatures.