Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
The U.S. should consider adopting a federal standard for immediate data breach notification similar to the European Union’s forthcoming 72-hour notice rule, lawmakers from both parties suggested Feb. 14.
The EU General Data Protection Regulation (GDPR) will introduce the first broad, breach notification mandate for the 28-country bloc when it takes effect May 25. It will require companies to notify affected individuals within 72 hours of discovering a data breach.
The massive breach of 145 million individuals’ data by consumer credit reporting company Equifax Inc. generated renewed interest in Congress in passing a data breach notification law. Equifax took more than 45 days to report the breach.
Rep. Blaine Luetkemeyer (R-Mo.), chairman of the Financial Institutions and Consumer Credit Subcommittee, said that he doesn’t know how companies gain back the trust of U.S. consumers “unless you go to an immediate notification. This is what I think we need to go to.”
He cited the upcoming EU rule as an example of a quick notification standard during a hearing on data breach regulations, questioning witnesses about the value of that deadline.
“Europe is looking at a 72-hour window,” he said. “Do you all agree that immediate notification is necessary, or some other standard?”
The U.S. needs notification that is almost immediate, and at least as soon as practicable, Marc Rotenberg, president of the advocacy group the Electronic Privacy Information Center, said.
I think “the 72 hours that the Europeans chose is probably a good target,” Rotenberg said.
Companies have favored a much longer period before notifying—30 to 60 days, typically—and moving to a shorter deadline could mean a greater compliance burden and higher costs.
“The 30 to 60 days that companies have favored is just too long,” Rep. Carolyn Maloney (D-N.Y.) said. The U.S. should move to a 72-hour standard since many companies will already need to comply with the GDPR, she said.
U.S. companies that control the collection of or process personal data of EU citizens must follow the GDPR’s rules when it takes effect.
Lacy Clay (D-Mo.), the subcommittee’s ranking member, said Congress should look at the GDPR’s positive aspects when considering any data breach notification legislation.
With breach notification laws existing in all states, except South Dakota and Alabama, privacy advocates have called for a single national law to preempt the various state standards. Breach notice bills, however, have been introduced in every Congress since 2003 without success.
Most recently, Sens. Richard Blumenthal (D-Conn.), Bill Nelson (D-Fla.), and Tammy Baldwin (D-Wisc.) introduced a bill requiring organizations to notify affected individuals and the Federal Trade Commission within 30 days of discovering a breach.
To contact the reporter on this story: George Lynch in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)