• The Personal Data Notification and Protection Act
  • March 17, 2015 | Authors: James J. Giszczak; Dominic A. Paluzzi
  • Law Firm: McDonald Hopkins LLC - Bloomfield Hills Office
  • Little is currently known about what the Personal Data Notification and Protection Act will ultimately require and mean for businesses, but it appears that the key focus would be to create a national data breach notification standard that would require businesses to notify their customers within 30 days of discovering a breach of personal information.

    Many businesses - especially those who collect data from customers across many states - may welcome a nationwide breach notification standard. Given that the state of residency of the affected individuals currently dictates which law applies, organizations often struggle to comply with the patchwork of 47 individual state breach notification laws, which vary significantly. Only three states do not currently have data breach notification laws: Alabama, New Mexico, and South Dakota.

    Many businesses, however, are not happy with the proposed 30-day notification timeframe because it is a short period of time to comply and coincides with some of the strictest state-law notification requirements.

    A key point about the proposed law that remains unclear is whether it will expressly preempt state data breach notification laws (similar to how ERISA works in the state-law context). Or, whether it will merely set a minimum standard and leave the states to enact or continue on with their own stricter laws (like states are allowed to do in establishing higher minimum wage rates).

    Many commentators believe the law will preempt the multitude of state laws. It is foreseeable that most businesses will welcome this universal standard, but some may worry that it will allow for a weaker standard than what some of the state laws currently have and preclude the states from enacting or retaining stricter, stronger protections. Also, the various state attorneys general may lose enforcement power and the ability to levy fines and penalties.

    One thing that is clear is that the proposed law would give the Federal Trade Commission the authority to enforce it and allow the agency to levy penalties upon businesses who fail to comply. If passed, the law would also criminalize the international trade of illegally-obtained personal information.