On the heels of an unprecedented year of major data breaches affecting some of America’s largest retailers, President Barack Obama recently announced his bid to propose new legislation that protects consumers from identity theft and other forms of digital trespass. This proposal represents the first attempt at a national data privacy regime.
Citing that nearly 100 million Americans have had their personal information compromised and roughly ninety percent of the population has, at some point, lost exclusive control of their personal information, President Obama announced that he will seek to establish federal criteria for the reporting of data breaches. The effect of the proposed federal criteria would preempt similar laws at the state level that tend to confuse or contradict. Specifically, the President indicated that custodians like retailers and financial institutions will be required to report data breaches within thirty days so as to facilitate a proactive response from government agencies and consumers alike. Perhaps most importantly, President Obama’s new data privacy infrastructure also seeks to establish a Consumer Privacy Bill of Rights that would codify basic principles of data privacy that all custodians must abide. In addition, the Consumer Privacy Bill of Rights would set in place certain baseline protections across all industries that would operate as minimum standards for the care of sensitive personal data.
Although there is little doubt that a national data privacy framework will do much to aid consumer expectations in respect of how their private information is shared and protected, custodians such as retailers, educational institutions and financial establishments should be mindful that increased federal involvement is likely to mean greater regulatory oversight and potential for litigation. With due apologies to our colleagues who must now confront the maelstrom of regulatory compliance, we with a litigation bend tend to foresee that federal data privacy legislation will not only require custodians to actively revisit their policies and procedures across the board, but will serve as the minimum standard of care for losses resulting from data breaches and in all likelihood give rise to per se negligence claims.
For our part, and the part of those intimately involved in industries where ever-evolving technologies impact the ability to account for private personal data, the suggestion of federal data legislation should therefore serve as a call to take action before potential losses make their way to courtrooms across the country that have likewise sensed the specter of litigation and eagerly awaited a uniform direction. Thanks to Adam Gomez for contribution to this post. Please contact Brian Gibbons with any questions.