Critics Slam Proposed Data Breach Notification Law

A proposed nationwide law that would require companies to notifyconsumers of data breaches involving their confidential information isbeing criticized by some security experts as being too ambiguous to beeffective.

The proposed Data Accountability and Trust Act (DATA), or H.R. 4127,was approved by a 13-8 vote along partisan lines by a subcommittee ofthe Energy and Commerce Committee on Nov. 3.

The bill was written by Rep. Cliff Stearns (R-Fla.) chairman of thesubcommittee and now goes to the full Energy and Commerce Committee forfurther consideration.

In broad terms, the proposed law is similar to California’s DatabaseBreach Notification Act and similar laws in other states because itrequires companies to notify consumers of security lapses involvingtheir private data. It would also require information brokers to informthe U.S. Federal Trade Commission about plans for safeguarding privatedata and to submit to periodic security audits by the FTC in the eventof a breach. The FTC would be responsible for enforcing the new law.

If approved, the measure would override state laws such as the one inCalifornia and would serve as a national breach-notification mandate.

While there have been calls for such a national law, the biggestproblem with H.R. 4127 is that it requires companies to informconsumers of breaches only if they believe a significant risk of fraudexists, said Alan Paller, director of the SANS Institute, a securityresearch and training firm in Bethesda, Md.

That could allow companies to avoid reporting certain breaches ofcustomer data that some state laws currently require them to report, hesaid.

“I believe that 98 percent of the time companies are not going todisclose breaches” if the law goes into effect, Paller said. “Only 2percent are going to be good citizens and report breaches” if there isnothing to suggest imminent fraud, he said.

“It will be the absolute decimation of the impact of the California [law],” he said. “This is corporate lobbying at its worst.”

What makes it likely that companies will choose not to report somebreaches if the bill becomes law is the fact that it is often next toimpossible to link cases of identity theft and fraud with a specificsecurity breach, said Christopher Pierson, a lawyer with Lewis and RocaLLP in Phoenix. “By including this language about significant risk, thebill will leave it entirely up to the companies themselves” to decidewhen to report a breach, Pierson said. In contrast, “California’s SB1386 empowers people to be able to receive information about a breachand do something about it,” he said.

There are other ambiguities, too. The bill, as proposed, does not set atime period within which a company must disclose a breach, Piersonsaid. Moreover, it appears to target only companies that do businessacross state lines, and it’s vague about the obligations of companiesthat operate within just one state, said Arshad Noor, CEO of StrongAuthInc., a compliance management firm in Sunnyvale, Calif.

The proposed law specifies that companies must have policies andprocedures, but it does not explicitly call for any controls, Noorsaid. “Does this mean that I can have paper documents that reflect mypolicy and procedures but not have to do anything about it — and yetbe compliant?” he asked.

As with most legislation, H.R. 4127 has both good and bad elements,said John Pescatore an analyst at Gartner Inc. in Stamford, Conn. Forexample, strengthening the FTC’s enforcement capabilities is a goodthing, he said. So, too, is a provision that exempts companies fromreporting breaches if they have encrypted sensitive data, he said.

The proposed law is also very explicit about the consumer notificationprocess and what information must be disclosed, Pierson said.

Raising the bar for disclosure is not automatically a bad thing,Pescatore said. “There does need to be some kind of balance aboutdisclosure.” He said existing laws have resulted in a kind of”disclosure overload,” with companies being forced to publicize everysecurity incident involving customer data, even though in 99 percent ofthe cases no fraud results from the incident.

“A lot of today’s disclosures have simply gotten ridiculous,” he said.

Stearns did not immediately respond to a request for comment.

By Jaikumar Vijayan – Computerworld (US online)