We have needed a federal data breach law for a long time. Lobbyists have fought against it over the years for all the usual self-interested reasons.
On January 13th, President Barack Obama previewed a new data breach notification law in a speech to the Federal Trade Commission, which would set a 30-day deadline (after discovery of the breach) for notifications. The current patchwork of state data breach notification laws are a costly mess to deal with as they all vary in how and when to notify victims. In Connecticut, you have to report a data breach five days after discovery - the period extends as far as 45 days in Ohio, Vermont and Wisconsin.I would certainly welcome such a law, assuming it is clear and well drafted. What constitutes a breach? Lost back-up media? Encrypted or unencrypted? Do you have to prove that someone actually had access to the information?
It seems to me that the victims have a right to know as soon as practicable in order to protect themselves. As it is, companies have usually been breached for months before they discover the breach. The companies themselves need to fix that issue by detecting breaches earlier, but that doesn't mean they have the right to "disclose at their own pace." Any desire to study the attack is offset by the rights of the victims. And 30 days is not an insignificant amount of time in which to study the attack. But you can bet the opponents of a federal law will continue to rehash these arguments.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology