CompTIA Small Business Spotlight: Myriad of State Data Breach Laws Pose Challenges for Consumers, Companies

Jun 27, 2013, 12:02 ET from CompTIA

WASHINGTON, June 27, 2013 /PRNewswire-USNewswire/ -- Throughout June, CompTIA, the non-profit association for the information technology (IT) industry, has spotlighted issues affecting its small business members and offering solutions to address those challenges. This week's focus: data breach notification laws.

(Logo: )

"The protection of customer data is an issue that concerns every company and ever organization in the country," said Scott Barlow, chair of the CompTIA IT Security Community and vice president of sales and marketing for Reflexion Networks.

In response to a steady stream of high-profile incidents in which private information about consumers was disclosed to unauthorized parties, 46 states and the District of Columbia adopted data breach notification laws designed to protect personal information. As a result, businesses must understand, keep track of and comply with the laws of many states. This places a heavy burden and added costs on business of all sizes, but particularly small and mid-size businesses (SMBs).

To address this complex patchwork of state-level requirements, CompTIA has renewed its call for national legislation that protects consumers' personally identifiable information (PII) while consolidating notification requirements and simplifying compliance for all business.

"Standardized national legislation would give consumers confidence that wherever and however they transact business, their personal information will be protected and that unauthorized disclosure will be addressed in a consistent fashion," Barlow said.  

Today, customers and employees take their mobile and handheld devices with them almost everywhere they go. They access data without concern for jurisdictional boundaries. Thus, a data breach can happen at any number of places during the stream of commerce, making it difficult to know which notification rule applies to a possible data breach.

Barlow cited as an example the Massachusetts data breach law, which follows a Massachusetts resident around regardless of where they are.

"What happens if a Massachusetts resident is the victim of a data breach while on vacation in California?"  he asked. "Which state law takes precedence? Or what if the breach occurs in one of the four states that do not have a data breach law? It's confusing for the consumer and the company, both of which may be victims."

A national data breach notification framework would provide consumers and businesses with consistency and predictability on how consumer notice must be provided. A new CompTIA whitepaper examines the data breach issue in more detail.

Through its Public Advocacy group and its partnership with TechVoice, CompTIA supports strict standards for the protection of consumer data and full and timely notification to consumers of any breach of their PII. This right will be furthered by a national data breach notification framework and training for both businesses and the IT industry's solution providers.

CompTIA is the voice of the world's information technology (IT) industry. Visit or follow CompTIA at and