A Data Breach Disclosure Proposal

Two attorneys lead an online debate on how a federal breach disclosure law ought to look

Ever since California passed its groundbreaking data breach disclosure law (the famous California SB 1386) back in 2003, legislators across the country have been working on similar laws that would require companies to notify customers whose personal information has been compromised. Lawmakers in at least 37 other states have succeeded in passing similar legislation, creating what many businesses complain is a unruly patchwork of laws. Meanwhile, the U.S. Senate and House of Representatives are still trying to hammer out a federal version that everyone can agree on. Or at least live with.

Never ones to shirk a challenge, we at CSO wondered if our own readers couldnt come up with a more perfect disclosure law than any of those proposals that are meandering through committees on Capitol Hill. Two attorneys from the law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, which represents corporate clients in a range of industries, agreed to start the discussion at their itinerant blog on CSOonline.com, Security Legislation Sound Off. There, Cynthia Larose and Stefani Watterson, both of whom are certified information privacy professionals, got the debate rolling with a couple lists of what the legislation might contain and asked readers to weigh in on how to craft the act.

From the perspective of businesses, Larose and Watterson suggested that the law might include:

Clear definitions of what is and what is not a breach.

Clear standards for how and when notification is to be provided.

Clear standards regarding who must provide notificationdata owners or the party responsible for the breach.

A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.

Safe harbor or exclusion if encrypted data is compromised.

No private right of action. Enforcement by the Federal Trade Commission under FTC-promulgated rules (like Gramm-Leach-Bliley and Can-Spam).

Clear federal preemption of all similar state laws.

From the perspective of consumers, Larose and Watterson suggested some requirements and definitions:

Companies must notify all individuals whose personal information is compromised.

Notification must occur by written means (electronic or by mail) without unreasonable delay. Companies must implement notification procedures and review and update those procedures if necessary on an annual basis.

Companies includes all entities and individuals conducting interstate transactions that request or store ­personal information.

Personal information includes the first and last name of an individual, with one or more of the following: date of birth, Social Security number, account number and drivers license number.

Following notification to individuals of the breach, companies must take ­reasonable steps to change the ­personal information to prevent unauthorized use of it.

Notification should be required ­without regard to whether there is

the possibility for harm.

Private right of action and civil ­penalties for failure to comply.

No preemption of more stringent/­protective state laws.

In the debate that followed, business representatives and consumers provided sometimes heated responses to these proposals and offered suggestions of their own. (For all the gory details, visit http://blogs.csoonline

.com/personal_data_exposed_how_can_we_fix_this_mess.) One especially contentious point: whether businesses must disclose a breach of personal information that was encrypted. Even those who didnt completely object to some kind of exception for encrypted information raised concerns about how quickly encryption techniques change.

Another common thread was the need for legislators to addressin this law or elsewherethe fact that a few bits of personal information can be so easily obtained and then misused by someone looking to commit identify fraud. The best defense against data being stolen is data not being gathered in the first place, wrote one poster. Use of SSNs in any database should be strictly limited to information reported to the [Social Security Administration] or [Internal Revenue Service].

Based on the dozens of often conflicting comments at CSOonline.com, Larose and Watterson bravely proffer this proposal. Whether their effort matches some of the more pro-consumer comments on the site is open to further discussion. As much as anything, the process underscores the challenge facing legislators. They wont be able to come up with a national disclosure law that makes everyone happy. We cant say that even this one makes any of us at CSO happy, exactlybut were glad to have given readers and our expert commentators a chance to weigh in.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)