A federal data breach notification law would erode significant strides made in information security and breach response, ultimately harming consumers, according to California Attorney General Kamala Harris, who recently sent a letter to members of chair and ranking member of the United States House of Representatives Committee on Energy and Commerce.
The Committee is considering a bill (H.R. 1770) that would implement a national standard for data breach notification, a move that much of the business community supports to avoid having to comply with 47 different state laws. According to Harris’ office, California, which passed the first state data breach notification law in 2003, has consumer protections that go beyond anything Congress is considering.
“In the 12 years since California’s breach law was first enacted, it has been updated periodically in response to emerging threats and rapidly changing technology,” stated Justin Erlich, assistant attorney general in the letter. “For example, in 2008, in response to burgeoning medical identity theft and its life-threatening impact for California residents, medical and health insurance information were added to the personal information covered by the law. In 2013, with evidence that criminal organizations were targeting online account credentials, the law was amended, expanding the scope of personal information subject to existing security breach disclosure requirements to include a user name or email address, in combination with a password or security question and answer that permits access to an online account. Over the years, states have proven nimble in responding to changing circumstances that affect their residents. Preempting the right of states to make such adjustments in the law deprives their residents and other jurisdictions of valuable insight and information that can inform timely innovation. This legislation overlooks the ability of states to be more nimble in adapting to changing technology.”
The AG’s office also challenged the idea of setting a specific time limit for data breach notification, such as 30 or 45 days. The California law requires notification “in the most expedient time possible and without unreasonable delay,” which allows flexibility, according to Erlich.
The bill in the House has been introduced but has not passed out of committee as yet.