ICFE eNEWS #16-27 - August 2016
View this eNEWS online

Is it time for a national data breach notification law?

By Yan Ross, Director of Special Projects, ICFE

Since 2003, when California adopted the first data breach notification law, nearly all the rest of the States and similar jurisdictions have enacted some form of legal requirement for an organization that suffers a data breach to take certain actions to notify the affected parties and mitigate potential damage.
Over the years, California has amended its law several times to clarify and make more precise the terms and conditions of the requirements. Other States have adopted a variety of different conditions, and in general it's fair to say that a quilted pattern exists across the country.
As an organization may operate under a corporate charter issued in one jurisdiction, locate its headquarters in another, conduct business in many States, and deal with customers, employees, vendors, and business associates in still others, this lack of consistency can and often does result in duplicative and conflicting standards and practices.
It's a natural and predictable situation to seek consistency, either in the form of a model or uniform law to be adopted by the various jurisdictions, or by enactment of a federal law and regulation structure to standardize the existing conflicting and confusing arrangement.
To be sure, there are various federal laws already in place that subject the covered organizations to specific requirements in the event of a data breach. Examples among them are financial institutions, educational institutions, and healthcare providers. Beyond their explicit requirements, in most cases they do not supersede or pre-empt State laws. This can cut both ways: pre-emption may broaden the net of compliance and enforcement, but may also restrict application or exempt entirely certain types of organizations or data breach incidents.
Beyond notification requirements, the standard of remediation remains at a relatively low level. In most cases, the breached organization offers the consumer a year or two year of credit report monitoring, with some measure of assistance provided by an identity theft service company in the event of an actual problem arising. However, statistically, some 50% of all reported cases of identity theft are of a nature that do not show up in a credit report. The most vulnerable of these, with the greatest potential damage, is currently medical identity theft; unless the damage includes a claim for non-payment for medical services, such coverage won't help.
Here's an important note for consumers who receive notification of a data breach and are offered a monitoring and remediation service: be sure to enroll in the service promptly. In the event there is an event of identity theft, and the consumer has not enrolled, that failure to enroll may result in a waiver of any claims against the breached organization.
In early 2015, the "Data Security Act of 2015" was introduced in counterpart versions in both houses of the U. S. Congress. By late 2015, the bill had been considered by the relevant committees of both the House of Representatives and Senate, but as of this time has not reached the floor of either body. At this late date, the chances of enactment before the end of this term of Congress are relatively low.
For the moment, it does not appear that there will be action in 2016 by the federal government to enact any new national breach notification law. But rest assured the subject will come up next year with the new 115th Congress. Either way it comes out, this year's result does not obviate the need for consideration and decision to pass a law to deal with this important subject.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info

Yan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

ICFE eNEWS is available FREE upon request by visiting the ICFE's Web site and filling out the contact form, selecting "Yes" for "Add to Mailing List." Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401