CIOs prepping a notification in the wake of a breach of personal information must comply with the law for each state in which a customer lives. That could potentially mean following the small details in at least 43 different laws (the District of Columbia has also passed legislation).
Yet federal lawmakers have yet to pass a similar law, though not for lack of trying.
Currently, Congress has its hands on no fewer than nine different bills that would set notification procedures of some sort. Three of those are specific to federal agencies and would not affect private businesses.
But the other six would. And from a response perspective, that could be a good thing.
"A federal omnibus data protection law would obviously impose uniformity and greatly simplify the issue of when notice has to be provided and under what circumstances," said Forsheit, who specializes in privacy and data security compliance law.
That could be especially beneficial to midmarket IT departments, which work with smaller staffs and may not have legal counsel on hand in the company.
Forsheit singled out two Senate bills as having the most traction right now. S. 495, known as the Personal Data Privacy and Security Act of 2007, is sponsored by Sen. Patrick Leahy, D-Vt., but is given equal support by Pennsylvania Republican Sen. Arlen Specter.
S. 239, known as the Notification of Risk to Personal Data Act of 2007, is sponsored by Sen. Dianne Feinstein, D-Calif. The bill made it through the Senate Judiciary Committee last year and has been untouched since then.
"There hasn't been any action on most of these for a very long time," Forsheit said. "Most of the bills have been languishing for almost a year, or in some cases, a year now."
Many of the bills are simply updated versions of legislation that stalled in Congress in previous sessions.
Leahy's bill, too, has been in limbo since last May, when it was reported out of the judiciary committee and placed on the Senate calendar. Along with Feinstein's bill, it now awaits scheduling for floor discussion by Senate Majority Leader Harry Reid, D-Nev.
But neither bill has received that shot at moving forward, despite a recent push from Leahy and Specter to bring their bill to fruition.
On March 25, the two senators revived their calls for a law, citing the news that state department employees had snooped into the passport records of the three major presidential candidates. That was just one of their examples.
"This week, front-page headlines have delivered news about the theft last month of personal information from the National Institutes of Health," the Senators wrote in a March 25 letter to Reid and Mitch McConnell, the leading Senate Republican, of Kentucky.
"Earlier reports have involved virtually every department of the federal government," they wrote.
The two argued their bill would "provide protections for consumers, including a timely notification of data security breaches." The bill would also require government contractors to properly safeguard personal information, the senators wrote.
Senator Barack Obama, D-Ill., became a cosigner of the bill on April 1. The bill was introduced in early 2007.
S. 495 would require consumer notification "without unreasonable delay" if "sensitive, personally identifiable information" is lost, stolen or otherwise viewed.
That is defined as a person's first and last name, or first initial and last name, combined with a complete Social Security number, driver's license number, passport number or alien registration number. Financial account and credit card numbers, combined with a security code or password also qualify. There are also provisions for certain combinations of names and addresses, telephone numbers, birthdays and a mother's maiden name. Finally, data like fingerprints and iris images also apply.
Reasonable delay is defined as time required to determine how large the breach was and prevent a further breach. A delay is also acceptable with the OK of federal law enforcement agents.
Exemption from notification is also allowed if the information is encrypted in such a way that creates "no significant risk" in harm.
The bill allows for notification by mail, phone or email. Media notice is required if more than 5,000 people could be affected in a particular state. The notification must include a description of what information has been taken and toll-free numbers to contact the business and credit reporting agencies. It allows for states to require the business to provide information about victim protection assistance.
Feinstein's bill closely mirrors S. 495. It does not, however, include the Leahy bill's requirements for businesses to establish a "data privacy and security program."
Forsheit said there is some talk from consumer groups looking for a law that would require notification in the event of any data breach, though most of the bills have requirements like the encryption exemption.
But otherwise, she said she sees no major sticking point or debate that is holding the bills back. Breach notification does not appear to be a partisan issue, as evidenced by the dual support from Leahy and Specter.
Forsheit's best guess for the lack of movement? Congress has other issues to deal with.
Let us know what you think about the story; email: Zach Church, News Writer