The numerous state breach notification laws have been a business thorn for some time with a coherent national breach law needed to resolve the quagmire. There are 47 different state breach laws with 8 having data holder requirements to prevent a breach. As an example of how difficult it is to even know your business is in violation of a particular state’s breach law—I wonder how many businesses know they have to notify the New Jersey State Police Crime Unit before issuing a breach notification to its customers to be in compliance.

There are two federal laws on the books encompassing breach notification: Graham-Blight-Leach Law with financial institutions breach notification obligations and the FTC requires holders of data to have “ a reasonable” obligation to disclose breaches. And since 2-10 HIPAA requires data holders and their 3rd party providers to disclose breaches.  Currently there are 3 congressional breach notification  bills in process: HR2221(passed House in 12-09) , Senate bill 139 (reported from committee in 11-09) and the one backed by US Chamber of Commerce-Senate bill 1490 –reported out of committee in 12-09.

Comptia ( the major IT business association ) has begun to push for passage of a national law thru its Security Special Interest Group thru the Comptia public policy arm. Comptia membership is hoping to influence the final bill to include : what defines a breach for notification; requirements for data holder to remediate the breach issue; define liability for a breach besides just notification obligation.

The time to end this patch work negatively impacting commerce has come!  There seems to be the political will and push by business to make a National Breach Law a reality!  Let’s hope!