David Seltzer, South Florida criminal defense attorney who specializes in cybercrimes
Federal legislation resolving the various state laws and issues is a good thing, so long as it does not overstep boundaries by interfering with business practices or operations. Currently, various states have different regulations and notice provisions, which can be a compliance nightmare for corporations. In unifying these regulations, corporations will have a better set of instructions as to how they must deal with security breaches. Corporations often do not want to disclose breaches because the negative publicity can affect their bottom line and indicate a weakness in their infrastructure. From a consumer point of view, a federal data breach law is necessary to avoid delays in the disclosure of breaches. Delayed disclosures lead to damages or identity theft for the consumer. Federal guidelines for immediate disclosure and notification, with hefty fines or criminal sanctions for noncompliance, should deter another Sony situation, in which disclosure was delayed.
Neal O'Farrell, executive director, The Identity Theft Council
While a single national data breach law is a good thing, President Obama's version is barely a good start. I can't tell if this law is designed to protect data breach victims or to protect breached entities from serious consequences. Worse than just a slap on the wrist, it is almost a pat on the back. As written, the bill would provide a $1 million cap on civil liabilities, exclude email addresses under the definition of personal information, allow breached entities to decide whether victims are harmed, and provide a 60- to 90-day gap before notification would be required.
I can't see any reason why a cap on civil liabilities should be included in such a bill, unless it is to appease industry. Email addresses should not be excluded, because they are still powerful information. And breached entities should never get to decide whether victims are harmed or not – harm is in the mind, or wallet, of the victim. Plus, 60 to 90 days is too long for notification.