Are We Ready for a National Data Protection Law?

A by-product of almost every transaction made by people today is personal data being stored electronically somewhere – usually in several different places such as a retail outlet, bank and credit card companies.

According to the Federal Trade Commission, in a 2006 Identity Theft Report by Synovate, during 2005 8.3 million American citizens were victims of identity theft. And while identity theft is a federal crime there are no federal laws to protect personal data on a national basis. Some of the laws currently in force deal with specific industries: Gramm-Leach-Bliley Act (GLBA) applies to financial entities, Health Information Portability and Accountability Act (HIPAA) is for healthcare, Federal Information Security Management Act (FISMA) is for government entities, Payment Card Industry/Data Security Standard (PCI/DSS) for the credit card payment industry and so on. Individual states have also been busy enacting various laws to help protect their citizens from identity theft and related incidents. One example is the State of Maryland House Bill 208.

This law requires businesses that have personal information to notify the residents of Maryland in the event the business’ computers are breached and the personal data may have been exposed. The Maryland law also requires businesses to “…implement and maintain reasonable security procedures and practices…” But these, and other State laws, are only valid at the State level.

Our Country Needs a Data Protection Law

What our country needs is a national data protection law — one that can be used as a basis for protection and that individual states and industries could opt to expand. This law would define baseline protections that must be afforded to personal information regardless of who is collecting, storing and using the data. Such a law would also mandate that the government would have to define exactly what data elements are to be considered “personal”. For those of you familiar with the laws above know, what is considered “personal” to HIPAA is not the same as GLBA.

However, some similarities do exist and from these a common definition of “personal” data can be established. These similarities can also be found in the pending bills before the US Congress. An on-line search at the Library of Congress  for the phrase “data protection” returned several pieces of legislation that are yet to be voted on, eleven of them containing the exact phrase. Many of these documents seemed to focus on the notification aspect of after a breach has occurred however Senate Bill 495 (S. 495) is fairly comprehensive in the protection of sensitive personal data. But what this bill and others does not do is definitively list the data elements to be protected.

Data Protection Legislation

The proposed legislation reviewed for this article revealed that (with one exception – S. 495) a person’s name, address, and phone number would be required to be protected along with a list of other elements if used in combination with the required elements. Among these “combinatory” elements were social security numbers, financial account numbers, PIN numbers, driver license numbers, and biometric data to name a few. Senate Bill 495 only requires the person’s name to be protected and as part of the “combinatory” elements lists “social security numbers, passport numbers, and driver license numbers all of which are ‘non-truncated'”.

Senate Bill 1558 (Federal Agency Data Breach Protection Act) did not specifically list a person’s address or phone number but all of the data elements listed were required. S 1558 also included the phrase other linkable information to the individual which could be taken as address and phone number, among other items. Individual industries can then add more pertinent elements as necessary. From the “common” list of elements an appropriate protection scheme can be built.

Enacting a national data protection law may help us with the international community as well. The European Union (EU) has established a data protection directive, and several countries within the EU have adopted their own individual data protection laws. Australia, Japan, Canada, and other countries have all adopted similar legislations — some wrapped into a national privacy law but the protection portions still exist. Occasionally it is reported in the news that certain negotiations between the US and other countries, normally involving trade, are held up while discussions are held concerning the lack of adequate protection of personal data from non-US citizens. A national data protection plan may help these negotiations progress. It certainly couldn’t hurt.

I certainly support the various laws (federal and state) that have been enacted thus far. They are necessary for prosecuting criminals and assisting victims of identity theft. We need to go to the next step and enact a data protection plan, on a national scale, that can be expanded as needed by state or industry. My plan would be similar to many of the requirements found in Senate Bill 495 however I would like to see a better definition of the required elements and the “combinatory” elements. It would not include phrases like “non-truncated”.

This national data plan would apply to all entities (public, private, and governmental) so that the data is protected regardless of who has it. Such a plan would help us reduce the number of victims and the severity of consequences of identity theft and aid in negotiations with other countries to boot. Are we ready for a national data protection law? For the reasons stated above I think so.

 UPDATE – Massachusetts enacts data protection law

I see where the Massachusetts state legislature has enacted a data protection law for their residents. Basically the law states that anyone (not just in the State) who gathers certain information on Massachusetts residents must take certain protective measures for that data. So if a Massachusetts resident were to purchase something on-line from a site in Tennessee the seller would be responsible for protecting some, if not, all of the data on the buyer. While I applaud Massachusetts on taking this stand this has the potential of causing mass confusion for business owners.

When other states develop their own data protection laws, and why shouldn’t they, they may use the Massachusetts law as a model but there will certainly be some minor changes/tweaks/etc. to satisfy each state legislature. Looking down the road this has the impact of causing business owners to be aware of, and build the infrastructure to accommodate 50+ (including US territories) sets of data protection laws – the costs of which could be enormous. The possibility of this furhter emphasizes the need for a baseline, national data protection law. States could increase the protections but could not decrease the minimum measures required to protect US residents data. Again I call for the US Federal Government to be proactive rather than wait for confusion and headaches 50 such state laws will cause. To read more on the Massachusetts law – go to  Massachusetts Data Protection Law