Currently, businesses responding to a breach of their customers’ personal information must consult a patchwork of state laws to determine what steps they are required take to mitigate the damage, including whether and to what extent they must notify those customers that their information may have been compromised. There is not yet a federal privacy statute applicable to such situations. (More information regarding the present state of the law on this issue can be found here.)
However, since all of the alternative legislation now pending in Congress would preempt state laws to one degree or another, it makes sense for companies to begin to familiarize themselves with the direction that Congress might be heading in this regard in order to ensure early and full compliance with whatever rules Washington ends up enacting. The various privacy bills still pending in the House and Senate described in the article referenced above are a good place to start. In addition, though, on April 30, 2007, Congress received a report on a study conducted by the U.S. Government Accountability Office (“GAO”) in order to assess the government’s own response to data breaches. While the stated aim of the study was to help federal agencies improve their ability to respond to such incidents, the basic framework of the GAO’s policy recommendations incorporates many concepts found in pending federal and enacted state legislation, and it is therefore easy enough to translate to a business context. To the extent that the report will return congressional attention to the issue of data security, it should be a useful resource for businesses wanting to begin early implementation of internal procedures that likely will not be too far from the mark, once a final federal rule is enacted and becomes effective.
Many of the GAO’s policy recommendations will sound familiar to those who have some experience with existing data security regulations and best practices. Among other measures, the report recommends: a “two-tiered” approach to incident reporting, where all incidents are reported to a designated, responsible government office, with only those entailing a risk of identity theft being reported to the affected individuals; the designation of a “core management group” to be responsible for quickly responding to incidents; the implementation of mechanisms to allow for the efficient retrieval of addresses of potentially-affected individuals for notification purposes; and taking steps to ensure awareness and training on data security issues. both among internal staff as well as among contractors.
The full report may be obtained here.