The Time Has Come For a National Data Breach Notification Framework

The world has changed a lot in the last decade, and as it continues to get more complicated, it's imperative that we promote and adopt public policies that reflect this. The mobility of people, devices and data will only continue to expand in new and novel ways that we cannot possibly predict. Consumers and small- to medium-sized businesses (SMBs) need a national data breach notification (DBN) framework that provides one-stop shopping and clear rules of the road for notifying consumers when their personally identifying information (PII) has been breached, eliminating regulatory uncertainty.

DBN laws generally require businesses to notify consumers that their PII has been breached or disclosed to unauthorized individuals. The first state DBN law was enacted by California in 2003 in response to rapid growth of the Internet. But what started 10 years ago as an effort to ensure consumers received notice about a breach to their PII has turned into a complicated quagmire; a patchwork of more than 47 state DBN laws that complicates the notice process for consumers and adds an unnecessary regulatory barrier for SMBs.

For example, state DBN laws vary as to when a consumer notice should be provided. Some state DBN laws require consumer notice when a company is made aware of a breach. Other state DBN laws require notice only if the breached data has the likelihood of resulting in harm to the consumer. Moreover, all state DBN laws differ on the type of penalties and fines that can be imposed and whether a consumer can file a private right of action against a company that has suffered a breach of consumer PII.

Under the current state-by-state DBN regime, there are various scenarios in which state data breach laws do not help the consumer and create regulatory uncertainty for SMBs. For example, what happens when a California resident traveling out of state on business shares his or her PII and credit card information with a website to buy something via a mobile device and the PII is subsequently breached or compromised?

Since each state has different notice obligations, the average consumer who is the victim of a PII breach faces a herculean task tracking down where the breach occurred and whether he or she should expect notice from a business. If a data breach was the result of information provided while traveling and using a mobile device, then the notice obligations will be unclear and muddled at best. This is a terrible scenario for the consumer and for SMBs that use mobile platforms.

The dynamic nature of our mobile economy creates the need for a national DBN framework that can provide consumers and SMBs with consistency and predictability on how consumer notice must be and is provided.

For these reasons, state DBN laws could be a thing of the past. This is not to say that DBNs are no longer needed. Consumer notice about a breach of PII is a fundamental consumer right that must be protected. However, a national DBN framework is the most logical and efficient model.

To learn more about this and other issues facing tech SMBs, visit and check out its new white paper, "Keep Consumers' Personal Data Safe Across State Boundaries."

David Valdez is senior director of public advocacy at CompTIA. He can be reached at dvaldez[at]


About the Author