Federal Policy Agenda
Data Breach Principles
a single national standard will provide companies and customers with consistent,
actionable notice of a data breach that could result in substantial harm.
is important that this single national standard focuses on protecting people from
requirements that are not related to a substantial harm will only burden companies
and confuse customers with frivolous notifications.
national standard should include strong federal preemption with no state savings
rendered unusable by encryption, redaction, or any other security method or technology
should be considered out of the scope of data breach policy.
breach policy should only impact an entity if their network or system has been breached. Entities should not be held responsible for, or
be required to rectify, breaches outside of their control or responsibility.
statutory definition of personally identifiable information should be limited to
information that, if compromised, could lead to identity theft or other financial
harm. Usernames or email addresses in combination
with the user’s password should not be considered personally identifiable information.
following items would reduce the effectiveness of a federal data breach standard
without providing substantive breach protections: Private right of action, Civil penalties, Administrative Procedure Act rulemaking authority
for the FTC.