Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues
Craig Hoffman of BakerHostetler offers his thoughts about proposed legislation on Data Privacy Monitor.
Here’s one example of what Craig thinks needs to be clarified in any bill:
Owner/Licensor. Most state laws require the “owner” of the “personal information” that was stolen to notify the affected individual, while a “licensor” or “processor” of the data is required to notify the “owner” which in turn is required to notify the individuals. The dichotomy of “owners” versus “licensors” and “processors” does not neatly apply to how data is collected and used. Payment cards provide a good example. Banks that issue the cards often assert that they are the owner of the card data. When a card is swiped at a retailer, many retailers only use the data from the magnetic stripe to gain authorization for the transaction (and they do not store that data). If payment card data is stolen while it is being routed through the retailer’s system to its processor, it’s hard to view the retailer as the “owner.” If not, then is the retailer supposed to notify the issuing bank who would then notify the cardholder?