The Sedona Conference^® (TSC) has announced its Commentary on Proposed Model Data Breach Notification Law for public comment!

As stated in the email notification I received from its Working Group 11 on Data Security & Privacy Liability (WG11): “Data breach notification laws are typically viewed as having two main goals. The first is to timely notify individuals whose data was involved in a breach in order to give them the chance to mitigate damage and risks caused by the data breach. The second is to increase accountability of organizations and encourage them to strengthen data security.”

“But the laws, as written, do not necessarily accomplish those goals for two chief reasons. First, there is a lack of uniformity among the various laws, making it challenging for breached entities to understand their obligations. The lack of uniformity also makes compliance more complicated and expensive. Second, most data breach notification letters do little to help consumers. The vague nature of the notices, combined with the fact that consumers are receiving more and more notices specifically telling them not to worry, can lead to fatigue and, eventually, data security apathy.”

So, this 46-page PDF Commentary on Proposed Model Data Breach Notification Law, available here for free download, is designed to address these two chief problems with current data beach notification statutes, and suggests eight areas where the current iterations of state data breach notification laws can be improved by greater uniformity and clarity:

(1) definition of security breach; (2) definition of PII; (3) definition of risk of harm; (4) encryption, de-identification, and similar technologies; (5) method and form of notification; (6) timeline for notification; (7) credit monitoring; and (8) notifying law enforcement and regulatory authorities.

Proposed model language for each of these eight areas identified above is included in the Commentary. Because of the interplay among them, it is essential to the formulation and subsequent use of this proposed language that the eight sections be considered as a whole.

The Commentary contains four sections in all. After an Introduction and Background, Section III of the Commentary provides a detailed analysis and discussion of current state data breach notification laws and the proposed model data breach notification law. Section IV lays out the Commentary’s proposed Model Data Breach Notification Law in its entirety.

The Commentary on Proposed Model Data Breach Notification Law is open for public comment through July 3, 2023. Questions and comments may be sent to comments@sedonaconference.org. As always, the drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version.

A webinar on the Commentary will be held and will be announced by email and on The Sedona Conference website. The webinar will give you the opportunity to ask questions and gain additional insight on this important topic.

So, what do you think? Do we need a proposed model data breach notification law? Or are the current laws we have good enough? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.