Seeking an end to the patchwork of state laws governing data breaches, advertising industry groups penned a letter to legislators requesting the passage of a federal law to create a uniform standard.
Sixteen organizations – including the Direct Marketing Association, American Association of Advertising Agencies, American Advertising Federation, Association of National Advertisers, and the Interactive Advertising Bureau – reached out to Senate Majority Leader Harry Reid (D-Nev.) and Speaker of the House of Representatives John Boehner (R-Ohio) to express “ongoing support” for a national bill that would preempt state laws.
“Currently, disparate laws in 47 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands, frustrate efficient and uniform breach notification to consumers,” the groups wrote. “This is particularly true when a data breach affects individuals nationwide who reside in a number of jurisdictions covered by these various laws.”
The groups suggested that the trigger for notifying consumers of a breach should not be overly inclusive, which could result in unnecessary notifications and confused consumers. Instead, “any federal notification regime should only be triggered by a breach event that poses a significant risk of identity theft or other economic harm to the affected individuals.”
When defining “sensitive personally identifiable information,” any data derived from public records should be excluded, the groups said. The timing of notification should balance the need to notify consumers with a company’s efforts to gather facts, secure the system, and work with law enforcement, the letter added.
“[B]usinesses should always act to notify consumers without unreasonable delay, and, if additional time is required to complete what often becomes a criminal investigation, then law enforcement involved in helping companies track down criminals responsible for the breach should not have their investigation compromised by premature public notification.”
As for enforcement, given “the complexities of both data breach response and notification – often layered with the added complication of an ongoing criminal investigation – we believe that a federal notification standard should not allow for a private right of action,” the groups wrote. “Similarly, we do not believe that the Federal Trade Commission should be granted additional civil penalty authority in this area.”
To read the letter from the ad groups to federal lawmakers, click here.
Why it matters: Emphasizing the importance of data use and sharing to businesses in the American economy, the groups said that the $246 per compromised record in the United States represents the highest costs related to data breaches in the world. Such costs could be greatly reduced with the enactment of a uniform law, the letter argued, and the signatory groups promised to provide continued support for national data breach notification legislation. “We need Congress to act now to enact legislation to help businesses effectively inform and ultimately protect the customers they serve when data compromises do occur.”