The Data Accountability and Trust Act could be going to a House vote soon.
Somehow, someway, I smell “CAN-SPAM 2,” only much more serious. The legislation provides for consumer notice in the event of a breach, but only if there is “reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other lawful conduct.”
First, who the hell determines what a “reasonable risk” is? The FTC, after a breach? Second, consumers would be allowed access to their data, and a chance to correct inaccurate information. Isn’t that issue covered by the Fair Credit Reporting Act already?
The problem with notice is the speed in which it is executed. If data brokers had statutory liability for each breach, say tied to actual damages their breach caused, plus mitigation costs, they would spend a lot more money on internal security procedures, and be a lot more likely to notify affected consumers with speed and efficiency.
Right now, it sounds like they are being given incentives to cooperated with some governmental body, which thereby covers their own butts. And not much more.