Throughout the course of this blog, we’ve called industry
attention to many major data breaches as they have been made public. And, while
these breaches have been caused by a variety of factors, including lost or
stolen hardware, improper security measures, and deceptively installed
monitoring programs, they have all had the common factor of an extended delay
in contacting end-users about the possible risk to their personal identity information.
Most of the victimized businesses and organizations have taken steps to notify
consumers via letter or e-mail, and most have offered a year or more of
complimentary credit monitoring, but some government officials feel this may
not be enough.
Ars Technica reported the story earlier this month of two new bills passing
through the Senate that would change the way both consu mers and businesses are
impacted by corporate data breaches. These bills are the Data Breach
Notification Act (S. 139) and the Personal Data Privacy and Security Act (S.
1490). If passed, these bills would speed up the processes of notifying data
breach victims of their at-risk information, while also punishing those who
have been breached for not disclosing the events appropriately.
The Data Breach Notification Act is unfortunately not
without gray areas. The reporting article specifically highlights two questionable
areas, including a lack of a defined timeframe for notifying affected consumers,
and the ability for businesses to claim exemption from the requirement to
notify if they themselves conclude there is no significant risk to the
consumer. Consumer advocates are calling for adjustments of these terms, and
while previous bills addressing the same subjects have not had much luck
passing into law, they are holding out hope that S. 139 and S. 1490 may be the
documents that lead the industry in a more informed direction.