Data Security and Data Breach Notification

TechNet supports a strong federal data breach notification law establishing a robust set of uniform protections for all Americans that is risk-based and focused on the likelihood of actual substantial harm to consumers.
A single national breach notification standard will provide companies and consumers with consistent, actionable notice of a data breach that could result in substantial harm and should include the following:
- Notice if there is a risk of substantial harm;
- Sufficient time for the private sector to report confirmed intrusions; and
- Notification requirements should consider any needed delays to determine the nature of any breach, including law enforcement requests for delay; the need to protect the intellectual property of reporting parties; and the need to protect information that could undermine the security of other individuals, companies, or systems, and sensitive information, including consumer data.
A federal data breach notification law should preempt the patchwork of state laws in this area and consider other federal breach notification obligations.
Data breach notification policy should only impact an entity if their network or system has been breached and acquisition of personally identifiable information has occurred. Reporting requirements that relate to unsuccessful attempts are not risk-based, will waste limited resources, and result in cumbersome contractual terms that create friction without providing any substantive benefits to data subjects. Entities should not be held responsible for, or be required to rectify, breaches outside of their control or responsibility.
Statutory requirements and obligations should be aligned with generally accepted cybersecurity frameworks like NIST’s Cybersecurity Framework 2.0, rather than impose specific security standards, which change over time.
Data rendered unusable by encryption, redaction, or any other security method or technology should not be considered having been breached.
The standard giving rise to notification should be data acquired and not simply accessed. Notification requirements should be triggered by the determination that a breach has occurred, not merely by the initial discovery of a potential incident.
The distinction between an account takeover of a customer’s online account and a data breach should be explicitly recognized in statutes, with differentiated provisions and reporting methodologies.
Any statutory definition of personally identifiable information that triggers notification should exclude publicly available data and be limited to information that, if compromised, could identify a specific individual and lead to substantial harm.
The statutory notification obligation to consumers should rest with the first party that has the relationship with the end user, but parties should have the ability to determine by contract their respective roles.
Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and hold accountable perpetrators of identity theft and provide assistance to consumers. Support for deepfake and liveness detection may be warranted as well.
Enforcement of a new federal data breach notification statute should be limited to only the FTC and state attorneys general. Notification obligations should take into consideration notification obligations under other federal laws.
Legislation should not include private rights of action, civil penalties, or other tools that encourage litigation. These mechanisms would significantly undermine the effectiveness of a federal data breach notification law by discouraging reporting, without providing corresponding protections for consumers.