OTA Comments on Proposed Data Breach Notification Legislation

As a member of The Online Trust Alliance (OTA), a global non-profit with the mission to enhance online trust and promote innovation, we take seriously the issue of online trust. There are now several federal data breach notification proposals wending their way through the legislature. OTA, because it represents over 100 other organizations, feels compelled to weigh in.

Here are  six key points and provisions  OTA believes are important considerations for an effective and balanced federal data breach notification law.

First, any federal data breach notification law must preempt the existing 47 state laws imposing a myriad of data breach notification obligations. State breach laws are a complex web of varied timing and notification requirements, and are a difficult mish-mash for an inter-state business to navigate during the challenge of responding to a data breach incident.

Second, any federal data breach notification law must contain a safe harbor from regulator penalties for those businesses or organizations that can demonstrate a commitment to the adoption of best security and privacy practices, provided they have been independently verified. While it is important to recognize there is no perfect security, OTA’s analysis of data shows that more than 90% of breaches that occurred in 2014 could have been prevented by adoption of best practices. A safe harbor for independently verified adoption of best practices would strongly encourage businesses to adopt best practices when they are most needed – in advance of a breach.

Third, any federal data breach notification law must contain a State right of enforcement. Similar to the Children’s Online Privacy Protection Act (COPPA) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), a state right of enforcement not only permits a state to protect its own citizens, but also allows states to complement the overburdened federal regulators by pursuing those companies and organizations that fail to live up to their data breach obligations.

Fourth, any federal data breach notification law must contain an appropriate coverage of personal information triggering notification. This is critical to ensure consumers are notified in a timely manner and for those breaches they need to know about, and are not over notified. If notifications become commonplace, consumers will get lost in the noise and likely not take appropriate action. Thus, the definition of what’s data is covered must be balanced and appropriate, must include paper records, and due to the common reuse of passwords by consumers across their numerous accounts – must include coverage for email/username address and password. A user’s email address and password are essentially the keys to their online kingdom, permitting access to social and financial websites, either directly or through a master account password reset.

Fifth, timely notice is critical to not only consumers, but also to regulatory authorities and law enforcement agencies. Businesses should be required to notify the FTC, FCC or other primary regulatory within seventy-two hours after discovering a breach involving covered data.

Sixth, any data breach legislation must permit businesses to share investigative forensics reports and related data with any law enforcement agencies investigating a breach. This sharing should not constitute a breach under the legislation nor impact any privilege or protections belonging to a business. Sharing forensic reports and data as soon as possible concerning a breach and attempted breach can be invaluable to help protect others and bring attackers to justice, and should be encouraged through appropriate protections in any data breach legislation.

We will be following this legislation through our active membership in OTA.