Would a federal data breach law really be too costly for the private sector?
Are you curious about the cost of a data breach notification law? Here’s the analysis of S. 1151, the Personal Data Privacy and Security Act of 2011, proposed by Senator Leahy. It appears that the biggest added cost to the private sector would be on improving security and not from breach notification since 46 states already require them to notify consumers of breaches.
The cost per entity of the data privacy and security requirements would depend on the rules to be established by the FTC, the size of the entity, and its current ability to secure, record, and monitor access to data, as well as on the amount of sensitive, personally identifiable information maintained by the entity. The majority of states already have laws requiring business entities to utilize data security programs, and it is the current practice of many businesses to use security measures to protect sensitive data. However, some of the new standards for data security in the bill could impose additional costs on a large number of private-sector entities.
For example, under the bill, businesses covered under subtitle A would be required to enhance their security standards to include the ability to trace access and transmission of all records containing sensitive personally identifiable information. The current industry standard on data security has not reached that level. According to industry experts, information on a particular individual can be collected from several places and, for large companies, can be accessed by thousands of people from several different locations. The ability to trace each transaction involving data containing personally identifiable information would require a significant enhancement of data management hardware and software for the majority of businesses. Further, the bill’s definition of sensitive personally identifiable information is broader than the current industry standard.
This definition would significantly increase the number of entities that would be required to implement new or enhanced data security standards. The aggregate cost of implementing such changes could be substantial.
Okay, but if they invest in what would be mandated security and save on breach-related costs, that doesn’t sound like a bad deal to me. Aren’t we constantly reminded how high breach clean-up costs are? And the trade-off here also seems to involve prohibiting a private cause of action for violation of contractual agreements – and isn’t that something that Facebook, Zynga, and others are fighting for?
I’m not saying that I particularly like or want this bill to be enacted. I’m just saying that from a cost standpoint, it doesn’t appear to be excessive when one considers what would be gained or off-set.
What do you think?