Data Security

TechNet supports a strong federal data breach notification law establishing a robust set of uniform protections for all Americans.
A national breach notification standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm and should include the following:
- Notice if there is a risk of substantial harm;
- Sufficient time for the private sector to report confirmed intrusions; and
- Notification requirements should take into account the need to protect the intellectual property of reporting parties, information that could undermine security of other individuals, companies, or systems, and sensitive information, including consumer data.
A federal data breach notification law should preempt the patchwork of state laws in this area and take into account other federal breach notification obligations.
Statutory requirements and obligations should be pinned to adherence to clear objective goals and outcomes, not specific security standards, which change over time.
Data accessed that is not used or rendered unusable by encryption, redaction, or any other security method or technology should not be considered having been breached.
The distinction between an account takeover of a customer’s online account and a data breach should be explicitly recognized in statutes, with differentiated provisions and reporting methodologies.
Any statutory definition of personally identifiable information that triggers notification should be limited to information that, if compromised, could identify a specific individual and lead to substantial harm.
The notification obligation to consumers should rest with the first party that has the relationship with the end user, unless otherwise stipulated in contractual provisions.
Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and hold accountable perpetrators of identity theft and provide assistance to consumers.
Enforcement of a new data breach notification statute should be by the Federal Trade Commission and state attorneys general should be consistent and exclusive, with certain exceptions for existing notification requirements under federal law.
Legislation should not include private rights of action and civil penalties that would significantly undermine the effectiveness of a federal data breach notification law without providing commensurate protections for consumers.