These bills add new threads to the already complicated patchwork of 46 state data breach laws. Some of these changes result in over-notification of users and others will decrease the incentive for businesses to protect information through encryption.
Consumers need to know when their information is compromised. But new legislation that forces businesses to prematurely notify consumers can result in consumer over-notification. Such over-notification de-sensitizes consumers to notices that truly require them to take action to protect their credit.
Some of the bills exclude financial or health data breaches – which is precisely when the consumer should be notified – and only impose notification requirements on less sensitive information.
For example, the Maryland bill would require social networks and photo sharing sites to prevent users from posting a photo that shows another person — without first obtaining and documenting that other person’s authorization.
The Maryland bill also discourages businesses from encrypting consumer data, based solely on claims that encryption isn’t perfect at stopping determined criminals.
Maine’s LD 158 gives businesses only 10 days to notify the AG and 30 days to notify users or the businesses face stiff fines. But 10 days isn’t enough time to verify a breach even happened, let alone determine which users were affected. This short time frame is sure to result in premature notifications and false alarm which are not in consumers’ best interests.
Today 46 state data breach laws already protect consumers, but these bills could end-up exposing consumers to greater privacy risks.
We helped the Maryland legislature realize that their bill required more consideration.
The iAWFUL reflects the editorial views of the Executive Director of NetChoice and does not necessarily reflect the views of all NetChoice members.