While I don’t subscribe to the view—“I am from the government and I am here to help you” I also fear an hysterical populist politician jumping up and down on a breach crisis involving a bank or oil company (great rabble rouser villains) and rushing thru a bad law. Remember—“never waste a crisis” political theory by current White House chief of staff.  If I thought the government would never pass a breach law I might live with the current maze of 45+ inconsistent State's statues but “sure as rain” they will get around to it.  So let’s be proactive and keep the features/policies the IT industry needs and can live with. Think “FinReg”!  Below are some of the most compelling arguments for a national law:

• 45-47 state law maze-no consistency
• Only 8 have requirements for processes to prevent breaches
• Populist congressman will overact to an incident with bad bill
• Use law to require awareness training of data holders employees
• “weapon” by our enemies to destabilize the economy
• Requiem encryption of PII data in transit at a minimum
• Mass penalty is $5k per lost record--$5m for 1000 lost records?
• Protect all citizens-5 states(AL,KY,MISS,NM, S DAKOTA) nothing
• Lowers cost of compliance-avoid same multiple tasks/audits)
• US avg breach cost 2x world avg(6.75m) due to notify when “think”
• Better prosecution/conviction by FBI linking attacks
• 44 states only require notification to their state residents

Now there are State’s rights issues and if I thought the Uniform Law Commission which involves 300 state officials from all 50 states could “harmonize the state laws" in less than 4 years, I would ask them to drive the issue, but while they do great work–herding cats takes time we don’t have ($6m for average US breach) .  So get the industry needs to get behind Senator Leahy’s S1490 which will have hearings this year(more about it in later blogs) and get a bill the industry needs and can live with.  Comments?