But Simitian (pictured at right) said getting consumers compensated for data breaches isn't high on the priority list for legislators.
Simitian, speaking at the Security Breach Notification symposium in Berkeley, said the new legislation would force organizations that are breached to admit the extent of the compromise, and to provide consumers with enough information to determine on their own whether they face a risk of harm.
Such information, combined with simultaneous notification to state authorities, he said, would give law enforcement, researchers and others better data for understanding the nature and scope of the data breach problem instead of relying on reports from media outlets, which don't cover every breach that occurs.
But Simitian, responding to a question from the audience of lawyers, academics and privacy advocates, said efforts to impose compensation for victims of a breach are not on the table, and are not likely to be for a while. He said that legislating compensation to consumers raises questions about whether it would become a deterrent to a company reporting a breach.
“Right now, there is already a significant deterrent [to reporting a breach] in terms of the shame and cost factor," Simitian said. “If that cost becomes more significant, will people push it aside in the hope that no one will ever determine they had a breach?" Instead, the next focus of legislation, he said, would likely be on who should bear the cost of sending out notifications to consumers. For example, should a credit card processing company that experiences a breach be responsible for the cost of notifying bank customers?
For more information contact All About Jazz.
