Ad Groups Push For Data Breach Law

A coalition of industry groups says it supports a national law requiring companies to notify consumers about data breaches -- but only when the breach “poses a significant risk” of identity theft or economic harm.

An overly inclusive trigger would cause consumers to be burdened with unnecessary notifications,” the Direct Marketing Association, American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Online Publishers Association and 11 other organizations say in a letter to lawmakers.

The groups are asking Congress to avoid crafting a broad definition of “sensitive personally identifiable information.” The ad organizations specifically say that the type of information that's available in phone directories should be excluded from any definition of sensitive PII. “A balanced bill would also exclude public records and information derived from public records from its scope,” the groups write.

Forty-seven states already have laws requiring companies to notify consumers after a data breach. But the DMA and other organizations say that the hodgepodge of laws “frustrate efficient and uniform breach notification to consumers.”

The trade associations also say that any new law should prohibit consumers from suing privately.

The DMA has long supported a national data breach law, while also vocally opposing laws that would impose new obligations on data brokers.

The group has argued in the past that Congress should concern itself with practices that could leave consumers open to fraud, and not those that pose more intangible privacy concerns.

Tags: privacy
Recommend (1)
2 comments about "Ad Groups Push For Data Breach Law".
  1. Paula Lynn from Who Else Unlimited , May 23, 2014 at 11:11 a.m.
    How sure are those who determine what is a significant risk is and when it will be significant in a week, a year, 10 years ? How much of an expert in a particular field does one need to be to be the determiner ? What is "sensitive personally identifiable information" not identifiable today maybe very easily identifiable in the near or later future than can cause severe harm. Therefore, until we have seers to be able to predict, ALL breaches must be reported.
  2. Craig Spiezle from Online Trust Alliance , May 23, 2014 at 1:43 p.m.
    The OTA has long advocated for strong federal breach legislation and protect companies that adopt industry best practices to secure their data. In the absence of such safeguards they should not be afforded any protection from State enforcement or private lawsuits. More at https://otalliance.org include the related Senate Testimony. As stated by many of these trade orgs the goal is to limit liability of data driven marketers who fail to be data stewards.