Changing the Status Quo on Data Notification Laws

“Patchwork.”  That’s the term that seems to be bandied about with the most frequency when talking about the system in place for notifying customers their personal information has been compromised.  A “patchwork quilt.”  And not the nice kind, like the family quilt your grandmother inherited from her parents which eventually finds it way down to you.  No, this patchwork is the type that can only be described, to quote Senator Tom Carper (D-Del), as “a nightmare.”

Carper currently holds position as the chairman of the Senate Homeland Security and Governmental Affairs committee, and he’s hardly the only one who has highlighted the extremely problematic, inchoate approach taken by institutions throughout the US towards notification of consumers who are turned victims of data breaches.  The recent headline shattering incidents of the Target data breach, among other retailers, has, in fact, had the upside of renewing attention on this issue at a national level, driving a Congressional impetus for a national standard to replace the “patchwork” currently in place across the different states.  For, although most states (not all, mind you) do have laws governing when companies are to notify consumers when there has been a significant breach of their personal data, there is a severe lack of cohesion.  There may be differences in the immediacy of the disclosure, or in the definitions of “personal information,” or even what constitutes a breach. 

This is hardly surprising.  We are only how many months now with a new federal health care policy that covers everyone?  Indeed, the history of the United States is rife with issues where a national policy took time to develop, from health care to civil rights. 

Changing this status quo on notification laws is now the intended goal of Congress, with support from Attorney General Eric Holder.  Regardless, coming to nominee #2 for “wow, I’m shocked,” there are quite a few impediments that have been preventing legislation being passed on this issue.  For one, the simple fact is that retailers approach notifying customers of data breaches like it’s a lion in a gladiatorial arena.  They don’t like it.  And while many companies have voiced support for a federal standard, there are differing opinions on when to notify: some believe only in cases when sensitive information is exposed, reasoning that notification over trivial, harmless data will eventually cause the consumer to tune out the alerts.

Another impasse is the worry by certain groups that any national standard will be weaker than the strongest state laws.  This is a reasonable fear; people in those states wouldn’t want to give up their standards for a one-size-fits-all that might be watered down. As a result, Congress must weigh various competing proposals that differ in thresholds for notification, terms and methods of enforcement, penalties for concealing breaches, and so on. 

While this dilemma stews and hopefully some compromises are reached sooner rather than later, I can’t help but wonder at the glaring omission in all this.  That is, improving the old patchwork way alerting consumers is all well and good, but you don’t want to have infiltrators break in and steal the data in the first place.  A greater emphasis on database protection and encryption would go a long way towards preventing breaches, and, concurrently, notifications.