ICFE eNEWS #16-27 - August 17th 2016
Is It Time For a National Data Breach Notification
By Yan Ross, Director of Special Projects, ICFE
Since 2003, when California adopted the first data breach
notification law, nearly all the rest of the States and similar
jurisdictions have enacted some form of legal requirement for an
organization that suffers a data breach to take certain actions
to notify the affected parties and mitigate potential damage.
Over the years, California has amended its law several times to
clarify and make more precise the terms and conditions of the
requirements. Other States have adopted a variety of different
conditions, and in general it's fair to say that a quilted
pattern exists across the country.
As an organization may operate under a corporate charter
issued in one jurisdiction, locate its headquarters in another,
conduct business in many States, and deal with customers,
employees, vendors, and business associates in still others,
this lack of consistency can and often does result in
duplicative and conflicting standards and practices.
It's a natural and predictable situation to seek consistency,
either in the form of a model or uniform law to be adopted by
the various jurisdictions, or by enactment of a federal law and
regulation structure to standardize the existing conflicting and
To be sure, there are various federal laws already in place
that subject the covered organizations to specific requirements
in the event of a data breach. Examples among them are financial
institutions, educational institutions, and healthcare
providers. Beyond their explicit requirements, in most cases
they do not supersede or pre-empt State laws. This can cut both
ways: pre-emption may broaden the net of compliance and
enforcement, but may also restrict application or exempt
entirely certain types of organizations or data breach
Beyond notification requirements, the standard of remediation
remains at a relatively low level. In most cases, the breached
organization offers the consumer a year or two year of credit
report monitoring, with some measure of assistance provided by
an identity theft service company in the event of an actual
problem arising. However, statistically, some 50% of all
reported cases of identity theft are of a nature that do not
show up in a credit report. The most vulnerable of these, with
the greatest potential damage, is currently medical identity
theft; unless the damage includes a claim for non-payment for
medical services, such coverage won't help.
Here's an important note for consumers who receive
notification of a data breach and are offered a monitoring and
remediation service: be sure to enroll in the service promptly.
In the event there is an event of identity theft, and the
consumer has not enrolled, that failure to enroll may result in
a waiver of any claims against the breached organization.
In early 2015, the "Data Security Act of 2015" was introduced
in counterpart versions in both houses of the U. S. Congress. By
late 2015, the bill had been considered by the relevant
committees of both the House of Representatives and Senate, but
as of this time has not reached the floor of either body. At
this late date, the chances of enactment before the end of this
term of Congress are relatively low.
For the moment, it does not appear that there will be action
in 2016 by the federal government to enact any new national
breach notification law. But rest assured the subject will come
up next year with the new 115th Congress. Either way it comes
out, this year's result does not obviate the need for
consideration and decision to pass a law to deal with this
Certified Identity Theft
Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also available
Bulk pricing and discounts for veterans and students available.
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.