A bill put forward for consideration in the U.S. state of Colorado sets out tough new regulations for database operators in the event of a leak. Companies would be required to inform victims either in letter or electronic form, or even via state-wide media in the case of a major leak. However, the formulation of the draft law leaves businesses a significant loophole:
The U.S. state of Colorado is currently debating the pros and cons of adopting a draft bill on private data. The proposed law would oblige companies with databases of private records belonging to private individuals to inform the victims if that data was ever compromised.
Legislators noted that the law, HB 1119, follows headlines over the past year about hackers breaking into databases under private control and making off with confidential information. Sensitive data such as Social Security numbers, credit card details and other personal information have all fallen into the hands of criminals.
All those companies with databases doing business on the territory of Colorado would be subject to the law. Business representatives have already stated publicly that the demands of the bill are nothing new, and companies will adhere to them strictly. However, consumer advocacy groups say there is a gap in law HB 1119, the result of an ambiguous phrase: individuals only need to be informed if a leak is "likely to cause loss or injury to the person." In other words, when a company does not know who stole data or why, it can theoretically keep quiet and not inform the affected party.
To some extent the law would rely on the "good faith" of companies to make an effort to notify consumers "in the most expedient time possible and without unreasonable delay." The law would also require a company to inform those affected by a leak in either letter or electronic form unless the cost exceeds $250,000 or more than 250,000 people are involved. In that case, the company would have to post a "conspicuous" note on the Internet and state-wide media.
To put the proposed law into context, it is worth pointing out that in the last year the private details of 52 million Americans has been compromised as a result of leaks. That has led to unprecedented activity by legislators. 25 states already have their own laws regulating incidents involving data leaks. Enterprises doing business on the territory of several states have already been affected by a variety of difficulties – every law in every state has its own peculiarities and the basic demands vary from state to state. The differences can be studied in a table summarizing the various laws.
“The law in Colorado will add to the series of local laws across the U.S. combating leaks of private data. It should all lead to the adoption of a single unified federal law which combines the requirements of the local regulations and simplifies the functions of big business. But no national law has been adopted yet, and for at least a few more months companies will have to bear the individual regulatory burdens found in each state," says Denis Zenkin, marketing director at InfoWatch.
Source: Rocky Mountain News