US Attorney General calls for unified data breach notification laws

Eric Holder

DOJUS Attorney General Eric Holder has put his weight behind a growing wave of pressure to improve how data leaks are handled by companies and institutions.

Interest in improving ways to ensure people are protected from leakage of personal data, and kept informed when such breaches do occur, has boomed since the recent barrage of large-scale, headline-making compromises in retail and tech firms.

Holder used the platform of his weekly video message, posted on the website, to talk about “Protecting Consumers from Cybercrime”.

Responding explicitly to the recent Target and Neiman Markus leaks, the Attorney General demanded Congress get busy developing a “strong national standard” for breach notifications.

He claimed this would make it easier for law enforcement to investigate breaches, make breached entities more accountable for any sloppy security practices and help those whose data has been leaked.

The need for federal-level controls over how we react to data leaks has been pointed out before, of course, with current regulation fragmented across state lines.

Most states have at least some rules in place, as do territories such as Guam, Puerto Rico and the Virgin Islands, but there’s little by way of uniformity or consensus.

A few states, including Alabama, Kentucky, New Mexico and South Dakota, appear to have no regulations in place as yet, while at least 17 are working on tweaks to their current rules, aiming for clarity but contributing to the general chaos.

European law seems to be well ahead in terms of consistency and clarity, with centralised regulation of all manner of privacy and data handling issues, although these rules are of course still not immune from criticism.

Like much Euro-law, central policy is complicated by the need to interact with overlapping local regulation, and such complications tend to get amplified as rules are applied on a wider scale.

But if Europe and the US can agree on fundamentals and create a widely-accepted basic standard, this could lead to baseline rules which can be adopted and applied around the world.

Regulation and law at the national or federal level is a good step forward, but ultimately the internet needs fully-global law (and law enforcement), to cope with the global nature of internet crime and malfeasance.

Holder’s pushing of this agenda is greatly welcomed, but his ideas should be considered just another step on the long road to a safer digital planet.