Data breach bill leaves lots of wiggle room
Senate bill's national standard of 'reasonable measures' for security, no deadline for disclosure criticized
July 02, 2012 — CSO — The hand of government is not all that heavy on businesses when it comes to notification requirements about data breaches that affect personal information. And it looks like it won't get much heavier, even if a bill sponsored by U.S. Sen. Pat Toomey (R-Pa.) and four other Republican senators become law. It could even be a bit lighter.
While the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) require notification of health information breaches within 60 days, the pending bill doesn't even specify a deadline.
But the Data Security and Breach Notification Act of 2012, introduced last Thursday by Toomey and Sens. Olympia Snowe (Maine), Jim DeMint (S.C.), Roy Blunt (Mo.) and Dean Heller (Nev.), would set a national standard for data breach notification. That would trump a system in which 46 states, Washington, D.C., Puerto Rico and the Virgin Islands all have different laws.
And that much alone makes it a good thing, according to several security experts. Mark Baldwin, principal researcher and consultant at InfosecStuff, said: "It will eliminate the current patchwork of state laws that businesses must comply with concerning data disclosure, which will make compliance easier for most businesses."
"And consumers will also benefit, as they will be notified of a data breach that could impact them, regardless of the state where they live," he said.
James Arlen, senior consultant with Taos, said he believes, a national, or even global, standard is "absolutely" required. "A hodge-podge of state level regulations makes adherence difficult and provides too much leeway for 'malicious interpretation," he said. "Without a reasonable standard for notification, it becomes possible for corporations to hide malfeasance. That's simply not OK."
Randy Sabett, an attorney and information security/privacy specialist with ZwillGen, said other good things about the bill are that it sets maximum damages ($500,000) and sets a standard for what is considered a breach -- unauthorized access plus acquisition. "Those are good for business," he said.
But James Arlen is less enthused about the specifics in the bill regarding the protection of data and the lack of a specific deadline for notification.
The bill requires companies to take "reasonable measures" to protect data. It says that if data is, "encrypted, redacted, or secured by any other method or technology that renders the data elements unusable," then even if that data were stolen, it would not be considered a breach.
"While that is good for the law, it is not good from an implementation point of view due largely to the abject failure of organizations to correctly encrypt or redact," Arlen said. "You can see it in every PDF with black boxes added over the unaltered lower layer."
The language saying data is exempt if it is rendered "unusable" is likely an impossible standard, since there is almost no encryption that could absolutely make that guarantee. But there is plenty of room between that and outdated encryption, such as that being used by the professional social networking site LinkedIn before the recent breach of about 6.5 million member passwords.
"I'd suggest that there be some regulation around what is acceptable for encryption," Arlen said. "And that the decision on [whether a company was doing it should] be at the behest of the FTC, not by the corporation that screwed up. "
And Sabett acknowledges that there is plenty of room for interpretation of "reasonable measures."
There is also the matter of how timely those notifications have to be. Anne Salta of Threatpost took note last week that the University of Texas MD Anderson Cancer Center took almost two months to start notifying about 30,000 patients that their personal data, including, "names, medical record numbers, treatment and/or research information, and, in some instances, Social Security numbers," were compromised when an unencrypted laptop was stolen from a physician.
But the center was in compliance -- it had met the 60-day deadline imposed by HIPAA. The Toomey bill doesn't even impose that much. It simply says that notification of a security breach "shall be made as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached."
James Arlen says that leaves too much wiggle room. "Not only does the 60 days provide time for criminals to do what they want with the information, it provides the company with time to manage the incident," he said.
He agrees with exceptions in the law if notification could compromise national security or law enforcement. But other than that, "there is no reason to delay notification beyond perhaps five business days. If you can notify your customers that they are one day late with their payment, you can notify them promptly that you've screwed up."
Dan Berger, president and CEO of Redspin, said while an investigative period is often necessary just to determine which individuals should be notified, "60 days is way too long. If the breach has resulted from unethical hackers or malicious insiders, the stolen data will generally be exploited fairly quickly after its theft."
Sabett disagrees, saying the problem with a hard deadline is that every case is unique. "You may not even know that you've had a breach after 60 days," he said.
But he added he believes there is a bigger issue at play. This bill, he notes, is one of dozens regarding cybersecurity that have been floated in the last several years, and it is too narrow. "We really need more than just data breach notification and reasonable security measures," he said.
Sabett points to a White House proposal from May 2011 that called for legislation covering other critical issues like penalties for computer criminals, voluntary information sharing, protection of critical infrastructure, intrusion prevention and privacy.
"We might not be able to include them all, but we should try to include more than one or two," he said.
Read more about data privacy in CSOonline's Data Privacy section.
Other stories by Taylor Armerding