Let’s Dive Into the Personal Data Notification and Protection Act: Overview, Analysis, Challenges

As we all know after hearing the State of the Union Address by President Obama, he is moving high on his agenda the need to address cyber security threats and needed protections to “the identities and privacy of the American people.” This is a very good thing. But as is usually the case, the real devil is in the details.

You can learn a lot about those details at an upcoming webinar titled President Obama's New Personal Data Notification & Protection Act: Overview, Analysis, and Challenges.

For instance, one of the big questions that has been raised in looking at the law is how it would effect the existing set of 47 state laws plus those of several territories. An excellent in-depth legal analysis of the proposed law was recently published by McDonald Hopkins. In it, they note that the proposed bill is intended to ‘pre-empt” all of the existing state laws. Why this is controversial comes down to several points.

First, many of the existing state laws have more stringent provisions than those in the Personal Data Notification and Protection Act proposal. Some find it objectionable that a new law would just wash away existing state laws, when in fact those state regulations do a much better job of protecting American’s who have personal information exposed through a data breach.

As noted in recent article titled House Takes First Steps on Federal Data Breach Law in ThreatPost, “EFF legislative analyst Mark Jaycox and staff attorney Lee Tien wrote

‘Companies are allowed a few exceptions to the disclosure, but will be overseen by the Federal Trade Commission to ensure they comply. In an attempt to normalize across the land, the law would trump all state data breach laws—including stronger ones—and allow the government to stop any action brought by a state attorney general.’”

Second, the new law would only cover electronic data, not personal information that might be exposed say on paper, or by someone looking at a computer screen where they really shouldn’t be. Because of these, those types of incidents would still be under the jurisdiction of state law and state Attorneys General. So the complexity engendered by the number of different state laws doesn’t really go away entirely.

Then lastly, there is controversy around the use of a so-called “harm standard” as proposed in the bill. Both in the McDonald Hopkins writeup and the ThreatPost article, there is discussion about the pros and cons of using a harm standard as a basis to trigger whether an incident is a notifiable data breach, or not. Interestingly, this ground was already plowed by the US Department of Health an Human Services in their data breach notification rules, where they initially used a harm standard, and because of issues and difficulties with it, then changed to what is considered a more objective standard based on probability of compromise.

The challenges and issues of using a harm standard are summed up by “Woodrow Hartzog of Stanford’s Cumberland School of Law. [In his testimony to the House Subcommittee on Commerce, Manufacturing and Trade he] cautioned against limiting consumer breach notification based on malicious intent, calling harm triggers dubious because it is difficult to draw a line of causation between stolen data and future harm. Meeting the burden of proof that harm is likely, Hartzog said, is nearly impossible. Hartzog pushed back on the idea of over-notification, saying we simply do not yet live in a world where consumers will suffer from data breach notification fatigue.”

As a member of the community of professionals involved with privacy, information security, compliance, risk and law, the ramifications of this bill will be highly relevant to you. You can learn more at an upcoming webinar titled President Obama's New Personal Data Notification & Protection Act: Overview, Analysis, and Challenges.