· TechNet supports a strong federal data breach notification law establishing a robust set of uniform protections for all Americans.
· A national breach notification standard will provide companies and customers with consistent, actionable notice of a data breach that could result in substantial harm.
· A federal data breach notification law should have no state savings clauses.
· Notice standards should be related to protecting individuals from harm.
· Notice requirements that are not related to a substantial harm will only burden companies and confuse customers with frivolous notifications.
· A federal law should apply not only to the breach notification timeline, but also to the data security requirements, which should be flexible, non-prescriptive, and reasonably related to the sensitivity of the data and the state of technology. Any standard should also recognize that companies making every effort to secure data with the best available technology require predictable, accurate, and up-to-date engineering specifications.
· Statutory requirements and obligations should be pinned to adherence to clear objective goals and outcomes, not specific security standards, which change over time.
· Data accessed that is not used or rendered unusable by encryption, redaction, or any other security method or technology should not be considered a breach under the requirements.
· The distinction between an account takeover of a customer’s online account and a data breach should be explicitly recognized in statues, with differentiated provisions and reporting methodologies.
· Any statutory definition of personally identifiable information that triggers notification should be limited to information that, if compromised, could identify a specific individual and lead to substantial harm.
· A federal data breach notification law should address instances when there is a breach of personal information on a third-party system. In such instances, the third party should be required to notify the first party that has the relationship with the end-users if the third party is knowledgeable that the data was personally identifiable information. The notification obligation to the end-users should rest with the first party that has the relationship with the end user, unless otherwise stipulated in contractual provisions.
· Public safety entities should be provided the appropriate level of resources to help deter, identify, track, and punish identity theft or other substantial harm stemming from criminal behavior, and provide assistance to consumers.
· Enforcement of a new data breach notification statute by the Federal Trade Commission and state attorneys general should be consistent and exclusive, other than for entities subject to federal notification requirements such as in the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.
· Legislation that includes private rights of action and civil penalties would reduce the effectiveness of a federal data breach notification law without providing substantive breach protections for consumers.