“We are in favor of a national security breach standard,” said Jerry Cerasale, DMA’s senior vice president of government affairs. “The bill has provisions that allow us to use personal information for our purposes—in order to verify people are who they say they are in
transactions to prevent identity theft and other fraud.”
Currently, many states have their own notification requirements for dealing with a data breach. For example, if the personal information
of a residents of Florida, Texas and Maryland was compromised, the data broker would have to follow three different state laws in letting
those consumers know that their information had been stolen.
“We’ve gone through the process to try and protect consumers identity in a way that allows businesses to continue working,” he said. “It’s been a good balance and we’re happy with the draft.”
He said the DMA will continue to work with the committee on some of the implementation provisions.
But some privacy advocates say Rush’s bill isn’t necessarily better than the existing state laws on data breach notification. California’s data breach law, passed in 2003, has some of the strongest standards for data breach disclosure. A number of other states imitated that law. Read more about the California law here.
Rush’s bill would pre-empt state laws and could water them down, said Chris Calabrese, who handles privacy issues for the American Civil
And since many states have followed California’s lead and adopted similar data breach laws, companies should be able to comply