The Obama administration proposed a new federal law that would require companies to notify consumers and the federal government about data breaches that could expose people to identity theft. In most cases, companies would have to notify consumers that their personally identifiable information has been compromised within two months of the breach.
“The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements,” according to a White House press release.
But some privacy advocates criticized the measure, saying it prevents states from passing tougher measures in the future. If passed in its current form, the administration’s proposal “actually weakens existing state laws already in force on this subject,” says Eduard Goodman, chief privacy officer at Identity Theft 911, Credit.com’s sister company.
The proposal keeps the current definition of sensitive personally identifiable information as someone’s name and Social Security number. Some privacy experts have said that the definition fails to take into account things like email addresses, usernames and geolocation data, which can help thieves steal identities.
A company would not have to tell consumers about data breaches if it collects sensitive information about fewer than 10,000 a year, if the company’s own risk assessment finds little risk that a data breach has harmed people, or if the lost data was encrypted.
[Identity Theft: Free Identity Risk Score and profile from Credit.com]
Image: Leonid Mamchenkov, via Flickr.com