[BreachExchange] Single National Data Breach Notification Standard Proposed

Fri Oct 13 15:02:00 EDT 2017

https://healthitsecurity.com/news/single-national-data-
breach-notification-standard-proposed

A recently proposed bill calls for a single national data breach
notification standard, which would replace the existing state notification
laws and “clarify and strengthen” organizations’ reporting obligations.

Rhode Island Congressman Jim Langevin reintroduced the Personal Data
Notification and Protection Act in September 2017, in the wake of the
large-scale Equifax data breach.

In that situation, consumers were not immediately notified whether they
were potentially affected, Langevin said in a statement. There must be
clear communication on such matters, which is why his legislation is
necessary to face the current cybersecurity threats.

“This bill will replace the patchwork of 48 state breach notification laws
with a single nationwide standard that would clarify and strengthen
companies’ obligations to report intrusions that compromise consumers’
personal information,” Langevin stated. “Americans put a lot of trust in
companies by giving them personal and private information, and they should
have confidence that their data is secure.”

Individual notification must take place within 30 days, according to the
bill. The Federal Trade Commission (FTC) would also help coordinate the
notification process.

A written notification through the mail, telephone notification, or email
notification are all acceptable ways for individuals to be told about a
potential data breach, the bill states.

“If the number of residents of a State whose sensitive personally
identifiable information was, or is reasonably believed to have been,
accessed or acquired by an unauthorized person exceeds 5,000, notification
is provided to media reasonably calculated to reach such individuals, such
as major media outlets serving a State or jurisdiction,” the bill reads.

HITECH Act defined covered entities and business associates are excluded
from the Act, or “business entities to the extent that they act as vendors
of personal health records.”

The following is considered “personally identifiable information,” where it
would require notification be made should the data be compromised:

An individual’s first and last name or first initial and last name in
combination with any two  of the following data points: Home address or
telephone number, mother’s maiden name, date of birth
Social Security number, driver’s license number, passport number, or alien
registration number or other Government-issued unique identification number
Unique biometric data such as a finger print, voice print, a retina or iris
image, or any other unique physical representation
A unique account identifier, including a financial account number or credit
or debit card number, electronic identification number, user name, or
routing code.

An organization that conducts a risk assessment and “concludes that there
is no reasonable risk that a security breach” would lead to harm, or did
harm, to individuals whose information was involved may qualify for Safe
Harbor, according to the bill.

There has previously been opposition to federal data breach notification
processes that would preempt state law.

The National Association of Attorneys General (NAAG) wrote a letter to
Congress in 2015that stressed the need for states need to have the ability
to enact and enforce state breach notification. Oftentimes, state laws have
more protections that federal ones, the group maintained.

“In recent years, a number of states have reexamined and updated their data
breach notification laws to ensure they continue to protect the sensitive
information about consumers being collected,” NAAG said. “Some states now
include notification requirements for compromised biometric data, login
credentials for online accounts, and medical information.”

The changes reflect how data collection has increased over the past decade,
and show a response to consumer concern over that increase.

State attorneys general have also seen cases where unsecured networks lead
to consumers’ information being compromised, the group stated. Federal
legislation must allow states to continue to enact and enforce the
necessary protections.

“While such notification at the federal level may work for large breaches
that affect consumers nationwide, it does not work for breaches that affect
one state or one region,” NAAG explained. “Many breaches are significant,
but not nationwide in their scope. A better solution to the problem is for
state attorneys general to also be given timely notification of breaches,
as many state laws already require.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171013/7be8364e/attachment.html>