Wednesday, May 12, 2010

Thoughts on Data Breach Notification Legislation

So ...Canada's Alberta province has finally seen the light, and is the first province in Canada to enact Federal-level data breach notification laws.  Woohoo.

So why am I so excited you ask?  Because ...big deal.  Another "notification law".

So soon you Canadians up there will be just like us in the US'll get letter after letter telling you the companies you've trusted with your personal and private data have let you down ...oh - and here's a year of "free credit protection, thanks for playing".  It's all crap.

So we have PCI and other "compliance" regulations which turn into check-the-box exercises in due-diligence and "baseline absolute minimums"... and then we have the after-the-fact "notification" laws...

I'm still not excited ...but I should be right?  Why?

When there is an actual way to mandate corporate responsibility not just 'absolute minimum security' ...then I'll be happy.  Until then...congrats to Alberta, I guess.

1 comment:

Ben said...

Clearly you've not been reading my blog. Legal defensibility doctrine can absolutely be legislated, and in a meaningful and enforceable way.

BTW, breach notification is all good and fine, but what we really need is mandatory breach reporting and a national data breach repository (i.e OSF's Ping me if you'd be interested in hearing more about how that could work out (lobbyists).