written by Pierluigi Stella
This news addresses an issue that has been ongoing for quite some time. Out of 50 States, 48 have rules related to data breach notification. Some, such as California, have very strict such rules, which are written in such a way that a breach occurring anywhere in the US might still fall under that State’s law.
The plethora of laws and rules poses a big problem for companies operating across States. It also poses a problem for companies indirectly affected by rules of a State in which they do not operate. A data breach is nightmare enough as it is; having 48 laws to comply with makes it all the worse. Imagine companies the likes of Office Depot, which of course, operate in each one of those States, and within which they must report data breaches in different ways. It’s a true nightmare, added to the already painful issue of the breach itself.
A unifying law at the Federal level has been long overdue.
Numerous attempts have been made in the past, but the lack of bipartisan consensus and a Congress unwilling to take on any responsibility have allowed this issue to slip through the cracks, forgotten. Mr. Obama finally wanting to see these rules unified is a very welcome fact. I understand the position of those who call for some measure of freedom at State level; but I’m not certain that’s such a good idea. When you’re Target and you need to deal with one of the largest breaches in history, you want one rule to go by, and you want it applied across all States. The rules coming out of the Federal Government should be generic and yet restrictive enough, to guarantee privacy and immediate notification. In fact, I don’t understand why we need to wait 30 days.
Such notifications should be sent as soon as reasonably possible, and that shouldn’t be more than 15 days. A month is a long time on the Internet; if your data has been lost, you want to know now, not 30 days from now.
At the same time, unification of the rules would be fundamental for the purpose of simplification. Such types of laws need to be clear and simple; they need to specify who and when to notify, and how. There’s really no need for anything beyond that.
On the issue of child privacy protection, I never understand why, in this country, we need a law for every detail of everything that happens.
Why can’t we have a general internet privacy law, which would protect all consumers, no matter their age, and would guarantee that our information isn’t unwillingly shared around, especially not for profit, and surreptitiously? When are we going to forbid the now common practice of retrieving search data to tailor advertisements? I search for something on Amazon.com; before I know it, Facebook.com shows me ads about that very same item. Clearly, they’re reading my searches.
As someone who works in this field, I know what’s going on; but if I were just a ‘common’ user, I’d be scared that they installed some tracking Trojan on my computer. This may be great for the companies, but it’s my personal data, and no one should be allowed access to it for free. The same goes for any information that my children put online in order to use a required school software. This data MUST be protected, and the punishment for abuses needs to be so severe that companies will go out of business for a single fine. Only if the fines are that high will companies obey and comply.
Nothing else will be able to stop the onslaught, because from the sale of such data, companies stand to gain substantial amounts.