Data Breach Principles
- Only a single national standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm.
- It is important that this single national standard focuses on protecting people from financial harm.
- Notice requirements that are not related to a substantial harm will only burden companies and confuse customers with frivolous notifications.
- A national standard should include strong federal preemption with no state savings clauses.
- Data rendered unusable by encryption, redaction, or any other security method or technology should be considered out of the scope of data breach policy.
- Data breach policy should only impact an entity if their network or system has been breached. Entities should not be held responsible or be required to rectify breaches outside of their control or responsibility.
- The statutory definition of personally identifiable information should be limited to information that, if compromised, could lead to identity theft or other financial harm. Usernames or email addresses in combination with the user’s password should not be considered personally identifiable information.
- The following items would reduce the effectiveness of a federal data breach standard without providing meaningful consumer protections: private right of action, civil penalties, Administrative Procedure Act rulemaking authority for the FTC.