On July 22, 2009 Senator Patrick Leahy (D-VT) introduced the "Personal Data Privacy and Security Act" to combat the growing number of data breaches. As of July 24, 2009 the Privacy Rights Clearing House had calculated 263,214,232 records had been "lost." They are posting new breaches every week; and these are just those that are public knowledge.
We applaud Senator Leahy for tackling this important issue as it threatens the trust in the financial systems that we use and have become central to the American way of life.
However, several things strike me about the proposed legislation that protect the data brokers and not individuals. First in Section 303 dealing with the "Privacy and Security of Personally Identifiable Information" there is a prohibition against "private action." That protects the data brokers from being sued by the people that have been adversely affected by a data breach. If someone is defrauded out of tens of thousands of dollars because a company lost their records, there is no recourse to sue and try to recover damages and associated costs in dealing with the identify theft. How does that protect the consumer?
Second, Section 316 gives a breached organization 14 days to report the breach to law enforcement agencies (the Secret Service in this case). That is way too long. In 14 days hundreds of thousands of those records could be resold by hackers and be used in fraudulent transactions. Why not make the notification requirement 24 hours? Better safe than sorry.
More to follow on this legislation as it is a step in the right direction.
No comments:
Post a Comment