retail news in context, analysis with attitude

The Wall Street Journal reports that the US Congress plans to consider legislation that would lessen the demands on US companies to disclose certain cybersecurity breaches.

Under the proposed legislation, the story says, "companies would be allowed to decide whether a breach of consumer data merits notifying customers. Under the proposals, companies would need to quickly notify customers about an intrusion if they believe there is a risk that the breach would lead to serious identity theft or fraud. But if companies believe there is no reasonable chance that a breach will hurt customers, the proposed legislation would allow them to keep it under wraps."

The story notes that the federal legislation would supersede state laws with stricter disclosure mandates.
KC's View:
There is a certain logic to a national standard. The Journal argues persuasively that "complying with dozens of separate requirements is costly and can slow a response when a breach occurs, experts say. Rather than dealing with a separate attorney general in every state when a breach happens, companies would mainly be answerable to the U.S. Federal Trade Commission under the proposed law."

I'll buy that.

However ... I just don't think that companies should get to make this decision. If data is compromised, the rules covering disclosure ought to be both specific and strict. After all, as a consumer, it is my data that is being compromised, and it ought to be a legal requirement that I need to be informed.

I'm not saying that every company would do the wrong thing. But there will be companies more concerned with their own priorities than consumers', and they'll make the wrong decision. It'll come back to haunt them, and haunt the companies that try to make the right decisions.

Specific and strict mandates will, in the end, be good for everyone.