SIIA Calls for Security-Breach Notification Standard

The Software & Information Industry Association (SIIA), a leadingindustry trade group, is renewing its call for a nationalsecurity-breach notification standard to replace the slew of state lawsthat companies are currently required to comply with.

Such a law would require the U.S. Congress to establish a “meaningfulthreshold for breach notification” to avoid the problem ofovernotification, Mark Bohannon, the SIIA’s general counsel and seniorvice president, said Wednesday in testimony before the HouseSubcommittee on Financial Institutions and Consumer Credit.

Bohannon was testifying in connection with a bipartisan proposal calledthe Financial Data Protection Act or H.R. 3997, which is now before theHouse Financial Services Committee. The proposed bill was introducedlast month and is designed to help consumers by requiring companiesthat handle their personal information to take steps to protect thatdata and to notify them in the case of a security breach.

In his testimony, Bohannon said that the goals and objectives of theproposed bill are consistent with the SIIA’s position on the need for anational disclosure law.

“With more than twenty-one states having already enacted data securityand breach notification laws, a national standard is needed to avoidconfusion to consumers, businesses and the appropriate enforcementauthorities,” Bohannon said in a statement posted on the SIAA’s Website Friday.

But further amendments are needed to make the bill more effective forconsumers and financial institutions, he said. The proposed bill, forinstance, includes “several thresholds” for breach notification thatcould lead to confusion, consumer frustration and overnotification, hesaid. Instead what is needed is a notification standard that requirescompanies to disclose breaches only if there is a reasonable beliefthat sensitive personal financial information is at significant risk ofidentity theft, he said.

Bohannon also called for greater clarity on the definition of”sensitive personal information” for the purposes of breachnotification and recommended that the definition exclude informationthat is otherwise available from public sources.

The SIIA’s testimony comes amid some concerns that national disclosurelaws — which would override tougher state laws — would be full ofloopholes that would allow companies to avoid breach notifications.

One example is a proposed bill called the Data Accountability and TrustAct (DATA), or H.R. 4127, that won approval recently by a subcommitteeof the House Energy and Commerce Committee. Like H.R. 3997, the DATAbill seeks to set a national standard for security breachnotifications. But since it would require companies to inform consumersof data breaches only if they believed that a significant risk of fraudexists, the bill is seen as too vague to be effective.

Some critics support the need for a minimum breach disclosure standardand said that without it, companies could be required to disclose evenbreaches that involve no risk of fraud.

Disclosure laws such as those in California, for instance, use aso-called acquisition standard that requires companies to notifyconsumers each time their data is acquired by an unauthorized person,said an analyst at a New York-based insurance company who requestedanonymity. That sort of trigger has resulted in an onslaught ofnotifications and has created a “ludicrous situation,” he said.

By Jaikumar Vijayan – Computerworld (US online)