Congress looks to pass data breach law
Grant Gross writes in InfoWorld:
The U.S. Congress will look to pass consumer data protection legislation as it returns next week from its mid-year recess, but if Congress fails to act, a tough new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk.
A New York data breach law, signed by Governor George Pataki on Aug. 10, would take effect in mid-December. New York, the 19th state to pass a data breach notification law, would allow no exceptions for companies that have their own disclosure policies.
The New York law requires companies to disclose any unauthorized breach of databases that contain New York residents' personal information such as Social Security, drivers' license and credit card numbers, with a limited exception for some encrypted data. The New York law makes no exception for small data breaches or breaches unlikely to result in identity theft, despite concerns raised by groups such as the Information Technology Association of America (ITAA) that customers could be bombarded with too much notification in cases where there's little chance of harm.
Congress and about 35 state legislatures have considered data breach notification laws this year as more than 60 companies, complying with a 2003 California law, announced breaches affecting millions of U.S. residents this year. Although the California law requires that companies notify only California residents, it has become the de facto national standard, with companies sending out notices to all customers.