Data Security

TechNet supports a strong federal data breach notification law establishing a robust set of uniform protections for all Americans.
A national breach notification standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm and should include the following:
- Notice if there is a risk of substantial harm;
- Sufficient time for the private sector to report confirmed intrusions; and
- Notification requirements should consider any needed delays to determine the nature of any breach, including law enforcement requests for delay, the need to protect the intellectual property of reporting parties, information that could undermine security of other individuals, companies, or systems, and sensitive information, including consumer data.
A federal data breach notification law should preempt the patchwork of state laws in this area and consider other federal breach notification obligations.
Statutory requirements and obligations should be pinned to adherence to clear objective goals and outcomes, not specific security standards, which change over time.
Data rendered unusable by encryption, redaction, or any other security method or technology should not be considered having been breached.
The standard giving rise to notification should be data acquired and not simply accessed.
The distinction between an account takeover of a customer’s online account and a data breach should be explicitly recognized in statutes, with differentiated provisions and reporting methodologies.
Any statutory definition of personally identifiable information that triggers notification should exclude publicly available data and be limited to information that, if compromised, could identify a specific individual and lead to substantial harm.
The statutory notification obligation to consumers should rest with the first party that has the relationship with the end user, but parties should have the ability to notify consumers unless otherwise stipulated in contractual provisions.
Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and hold accountable perpetrators of identity theft and provide assistance to consumers.
Enforcement of a new federal data breach notification statute should be limited to only by the Federal Trade Commission and state attorneys general. Notification obligations should take into consideration notification obligations under other federal laws.
Legislation should not include private rights of action and civil penalties that would significantly undermine the effectiveness of a federal data breach notification law without providing commensurate protections for consumers.