Federal breach notification legislation

2-3 paragraphs

On 12 January 2015, President Obama proposed legislation requiring companies that experience a data breach to notify affected customers within 30 days of the breach discovery (www.whitehouse.gov/the-press-office/2015/01/12/remarks-president-federal-trade-commission). Currently, 47 states have different laws regarding how people should be notified when breaches involve personally identifiable information (PII). The proposal unifies the complex patchwork of inconsistent state laws and regulations, and is expected to reduce compliance costs for businesses.

A similar requirement already exists for federal departments and agencies under 2014’s Federal Information Security Modernization Act (FISMA). The FISMA requires the director of the Office of Management and Budget to periodically update federal agency data breach notification policies and guidelines, and to notify various congressional committees no later than 30 days after a data breach is discovered.

What are the impacts (positive and negative) on businesses of the proposed federal breach notification legislation?