It’s been more than five years since California passed its pioneering SB-1386, which requires companies that lose personal information of customers to notify them, took effect. Since then, about 45 states have followed suit.
But still no federal law. (To find out why, perhaps it would be wise to ask those five hold-out states why they haven’t approved similar legislation).
It’s not that Congress hasn’t tried. Over the past few years, a number of bills have circulated the two houses. But none have found their way to the president.
When President-elect Obama takes office, there surely will be renewed optimism that such a law could get the green light. After all, the Illinois senator seems more interested in cybersecurity than President Bush – and he’s receiving detailed guidance from the Commission on Cybersecurity for the 44th President.
But, corporations and consumer-rights advocates will continue to wrangle over what the threshold should be to report. And, remember, Congress will be busy. There’s that whole worst-economic-climate-in-80-years thing to deal with.
I’m thinking we’re going to have to wait until 2010. Of course, another TJX just may fast-track a federal data security bill right to the Oval Office.
One thing is for sure, though: Creating a nationwide law will standardize and, as a result, simplify the reporting process for companies that experience a breach. And as we all know, it’s not “if” but “when” you’ll be drafting that “We lost your Social Security number” letter to consumers.