Data Security

TechNet supports a strong federal data breach notification law establishing a robust set of uniform protections for all Americans.
A national breach notification standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm and should include the following:
- Notice there is a risk of substantial harm; requiring notice in other instances will only burden companies and confuse customers with frivolous notifications.
- The private sector should be allowed sufficient time to report confirmed intrusions.
- Notification requirements should take into account the need to protect the intellectual property of reporting parties, information that could undermine security, and sensitive information, including consumer data.
A federal data breach notification law should preempt the patchwork of state laws in this area.
Statutory requirements and obligations should be pinned to adherence to clear objective goals and outcomes, not specific security standards, which change over time.
Data accessed that is not used or rendered unusable by encryption, redaction, or any other security method or technology should not be considered having been breached.
The distinction between an account takeover of a customer’s online account and a data breach should be explicitly recognized in statutes, with differentiated provisions and reporting methodologies.
Any statutory definition of personally identifiable information that triggers notification should be limited to information that, if compromised, could identify a specific individual and lead to substantial harm.
A federal data breach notification law should address instances when there is a breach of personal information on a third-party system. In such instances, the third party should be required to notify the first party that has the relationship with the end users if the third party is knowledgeable that the data was personally identifiable information. The notification obligation to the consumers should rest with the first party that has the relationship with the end user, unless otherwise stipulated in contractual provisions.
Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish identity theft or other substantial harm stemming from criminal behavior, and provide assistance to consumers.
Enforcement of a new data breach notification statute by the Federal Trade Commission and state attorneys general should be consistent and exclusive, with certain exceptions for existing notification requirements under federal law.
Legislation that includes private rights of action and civil penalties would significantly undermine the effectiveness of a federal data breach notification law without providing substantive breach protections for consumers.