My new home, Michigan, just enacted legislation requiring individuals or government agencies to notify me if my personal identifying information is revealed due to a security breach. (Given the ubiquity of data breaches these days, perhaps I should write “when,” not “if,” particularly with a spouse who works for the Veterans Administration.) This raises three interesting points. First, data security loss is sufficiently important as an issue to have made it onto the legislative radar screen in Lansing (and the executive scope as well – Governor Jennifer Granholm called for such legislation in her State of the State address last year).
Second, from a regulatory perspective, data security is headed in the opposite direction from spam – moving towards a diversity of approaches allowing the states to become Justice Louis Brandeis’s “laboratories of democracy” in this policy area. The question of uniformity via federal control versus variable means tailored to a state’s needs is a hardy perennial, and data security may offer another data point in the debate.
Finally, one wonders about effectiveness: will these laws mitigate the problem? Notification helps consumers take remedial steps, but it doesn’t work on preventing breaches in the first place. (Query whether greater liability for entities maintaining data would help. Also, query whether it’s obnoxious when lawyers use the term “query.”) The VA has finally taken the (obvious) intelligent step of using automatic data encryption on laptops – while this technique isn’t without challenges or potential weaknesses, it does help prevent automatic exposure when someone leaves a laptop at Starbucks.
Stay tuned. If data security remains a consumer protection issue, I believe we’ll see federal legislation. Whether it acts as a floor or a ceiling remains to be seen.