Cerasale: Expect Federal Data Breach Law This Year
Cerasale briefed list professionals at a legislative update held yesterday by the DMA's List and Database Council.
"Odds are much higher now that a federal security breach law will pass before October 2006," he said.
Cerasale cited the four bills that the DMA considers important, listing those in the Senate Commerce Committee, Senate Judiciary Committee, House Financial Services Committee and House Energy and Commerce Committee as the ones from which the eventual law will come.
The federal bills resemble the California data breach notification law that prompted data broker ChoicePoint to reveal breaches early last year. Some other data breaches revealed last year involved LexisNexis, DSW Shoe Warehouse and CardSystems Solutions.
Cerasale said the details of the federal legislation likely to pass should become clearer in a few months. Meanwhile, the DMA is satisfied with many of the provisions in the bills. All four discussed by Cerasale would preempt state data breach notification laws.
Though all four bills say that the sensitivity of the personal information dictates whether breach notification is necessary, differences exist on what constitutes sensitive data. Three of the bills define sensitive data as name, address, e-mail address and other marketing data only if accompanied by a Social Security number, driver's license data or an account number such as a credit card number.
However, the Senate Judiciary bill added any government identification, mother's maiden name and exact date of birth as qualifying sensitive data when coupled with marketing data like name and address, Cerasale said.
In all four, the trigger for mandatory notification is set at "significant risk," a term still not clearly defined. There has been talk of changing "significant" to "reasonable" in the House Energy and Commerce bill, he said, though it is unclear how big a difference in the notification threshold that would make.
A major issue with the Senate Judiciary bill involves a provision that calls for access and correction for breached data, meaning that a consumer who was the victim of a breach of sensitive data would have the right to access his file and correct any errors. The DMA opposes this based partly on the expense but also because access might undercut antifraud measures, Cerasale said. He predicted a battle over this provision.
While the House Financial Services bill covers breach notification only, the other three have information broker provisions.
"Information brokers are defined as a person who rents, sells, exchanges, etc., personal information to a third party on non-customers," Cerasale said. The data that ChoicePoint sells to employers for applicant background checks would be an example.