The Department of Commerce’s “Internet Policy Task Force” prepared a green paper outlining possibilities for a national data protection policy. Consumer information security is of paramount importance to the government agency, so it wants Fair Information Practice Principle issues front and center on the state-crafting agenda — and it wants it NOW!
Data Protection Policy: Fair Information Practice Principles (FIPPs)
The data protection policy, known as Fair Information Practice Principles, or “FIPPs,” are already acknowledged and followed by most government departments. They’re a set of data protection principles that address the proper handling of customer PII. For example, one of the DHS’ principles is:
Transparency: Organizations should be transparent and notify individuals regarding [the] collection, use, dissemination, and maintenance of personally identifiable information (PII).
FIPPs are broad and used as guides for Internet lawmaking, rather than data protection policy rules in and of themselves.
FIPPs: Industry-Specific Consumer Information Security Codes of Conduct
When the FIPPs task force solicited public opinions about the data protection policy guidelines, small businesses responded clearly: FIPPS are too vague to be effective. How can the problem of ambiguity be solved? Small business association recommend that each industry develops a “voluntary” code of conduct and establish market-specific self-regulating bodies that work closely with the FTC to bust “bad guys.”
FIPPs Recommendation: National Standards for Security Breach Notifications
A Security Breach Notification, or “SBN,” is an alert sent to people affected by privacy breaches — or, to be blunt: if a company gets hacked, it’s required to send an SBN to affected users and clients. At the time of this writing, SBN rules are strictly a state issue.
The lack of federal data protection policy standards is a burden for companies with branches in multiple states — as they must comply with several different standards. As such, business advocates are pushing for a federal SBN standard. If passed, entities that have to comply with fifty different states’ laws on SBNs would only have to comply with one SBN requirement.
FIPPs: Preemption of State Law
If lawmakers passed a national SBN law, state statutes would still apply in the case of provisions covering unfair or deceptive practices. Additionally, state laws that are more restrictive than federal laws would still apply.
Although the federal laws would preempt state laws, state attorneys general would be authorized to enforce the federal laws. The idea behind this is to allow states to determine what areas need priority in enforcement, as they may differ in jurisdictions.
Top-Rated Online Privacy Law Firm
Do you need an attorney well versed in data protection policy law? Contact Kelly / Warner today. We look forward to assisting with your data security policy and online privacy legal issues, so you can get back to what you do best – running your business.