US should have central data breach notification law, say White House advisers

Out-Law News | 02 May 2014 | 3:45 pm | 2 min. read

US businesses could be compelled to notify consumers about personal data breaches they experience if a recommendation made by a group of White House advisers wins support.

A working group set up by president Barack Obama to review and report on 'big data' opportunities and privacy implications (85-page / 1.14MB PDF) called on US law makers to introduce new rules on data breach notification in the country.

"As organizations store more information about individuals, Americans have a right to know if that information has been stolen or otherwise improperly exposed," the report said. "A patchwork of 47 state laws currently governs when and how the loss of personally identifiable information must be reported."

"Congress should pass legislation that provides for a single national data breach standard ... Such legislation should impose reasonable time periods for notification, minimise interference with law enforcement investigations, and potentially prioritise notification about large, damaging incidents over less significant incidents," it said.

A survey commissioned by the UK government recently revealed that fewer than a third of UK businesses' worst information security breaches go public, although those figures may change in future if new personal data breach notification requirements are introduced as is intended under new planned EU data protection law reforms.

The report, which was jointly authored by a counsellor to Obama, the US secretaries of commerce and of energy, the director of the US office of science and technology and the policy director of the US' National Economic Council, also called for a new Consumer Privacy Bill of Rights to be drawn up.

The White House previously outlined plans for a new Consumer Privacy Bill of Rights alongside new data privacy principles in 2012 and has been urged to revisit and develop those plans further.

"The Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework ... could be embraced within the framework established by the Consumer Privacy Bill of Rights," the report said. "Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and for submission by the president to Congress."

The report also recommended that the ability to process personal data collected from schools about students should be restricted. It said the data should be used for "educational purposes" only. It further called on the US government to extend privacy protections to non-US citizens and for changes to be made to the Electronic Communications Privacy Act so as to improve privacy protections around email content.

The report stressed the potential of big data to "unlock previously inaccessible insights from new and existing data sets" and to "fuel developments and discoveries in health care and education, in agriculture and energy use, and in how businesses organize their supply chains and monitor their equipment". However, it also warned of the risk that "small biases" that can accrue from analysing data "become cumulative, affecting a wide range of outcomes for certain disadvantaged groups".

"Society must take steps to guard against these potential harms by ensuring power is appropriately balanced between individuals and institutions, whether between citizen and government, consumer and firm, or employee and business," it said.