Early potential for national data breach regulation bears watching

Coming on the heels of numerous draft pieces of legislation from the U.S. Senate (including those from Sens. Carper, Snowe, and Rockefeller) is an announcement last week by New York Congresswoman Yvette Clarke that she hopes to begin congressional hearings within the next few months on creating a national law for the protection of private data. Clarke, who chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, cites the ever-increasing incidence of identity theft and public demand for action to make both public and private sector organizations more diligent in protecting personal information and in disclosing breaches of that data when they occur.

This idea bears watching, not least to get past the industry segmentation on private data protection and breach notification rules that currently exist, with the clearest regulations applying to health records and financial data, but not without gaps in those contexts either. However, if the final version of HHS rules on disclosure of health data breaches is any guide, any new legislation shouldn’t just extend to personal data in uses beyond health and finance, but might also best be crafted to remove some of the subjectivity and compliance discretion that organizations are allowed under existing federal rules, particularly the harm exception to disclosure for organizations suffering breaches of health data.