Federal Policy Agenda
Data Breach Principles
- TechNet supports a preemptive federal data breach notification law that would establish a single national standard.
- Only a single national standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm.
- A national standard should include strong federal preemption with no state savings clauses.
- Notice standards should be related to protecting individuals from harm.
- Notice requirements that are not related to a substantial harm will only burden companies and confuse customers with frivolous notifications.
- A preemptive national standard should apply not only to the breach notification timeline, but also to the data security requirements. Any standard should also recognize that companies making every effort to secure data with the best available technology require predictable, accurate, and up-to-date engineering specifications. Standards should be pinned to adherence to a clear objective standard and include a requirement for regular updating of such standards.
- Data accessed that is not used or unusable by encryption, redaction, or any other security method or technology should not be considered a breach under the requirements.
- Any statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other harm.
- Any security standards included in data breach legislation should be high-level, flexible standards that are reasonably related to the sensitivity of the data and the state of technology and are not prescriptive.
- A federal data breach law should address instances when there is a breach of confidential personal information on a third-party system. In such instances, the third party should be required to notify the first party that has the relationship with the end-users if the third party is knowledgeable that the data was personally identifiable information. The notification obligation to the end-users should rest with the first party that has the relationship with the end user, unless otherwise stipulated in contractual provisions.
- Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish identity theft or other substantial harm stemming from criminal behavior.
- Consistent, exclusive enforcement of a new statute by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities whose compliance will be based upon adherence to existing federal data security and/or consumer notice requirements.
- Legislation that includes private rights of action, civil penalties, and/or Administrative Procedure Act rulemaking authority for the FTC would reduce the effectiveness of a federal data breach standard without providing substantive breach protections.