Data commissioners in the United Kingdom, Canada, New Zealand and Australia are looking to update their rules around data breaches. The Center for Information Policy Leadership, sponsored by the law firm Hunton & Williams, put out a paper that suggests these countries should learn from America’s mistakes when it comes to handling data breach legislation.
Among the missteps, according to the paper, “Information Security Breaches, Looking Back and Thinking Ahead” by Fred H. Cate:
Defining the term “security breach” so broadly that it makes the term, and the notices it prompts, less meaningful.
Focusing too much on notices to address security breaches, which shifts the responsibility to the responsible parties to the innocent data subject.
Justifying notices as a response to identity fraud.
Ignoring the limits of notices and the negative consequences of their inappropriate use.
Applying a twentieth century response to a twenty-first-century problem—“notices are too slow, too cumbersome, and too poorly timed to provide meaningful protection for information security.