Is the 5th Time the Charm? - Nationalizing Data Breach Notification

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/is-the-5th-time-the-charm-nationalizi-41480/

Once the smoke and dust clears from the latest enormous data breach, the
fried servers are hauled away and the ritual IT department purge takes
place, the focus seems to turn to the lack of any comprehensive national
data breach law. Although certain sector specific breach notification laws
are in place, such as HIPAA/HITECH in the health information realm, most
businesses in the U.S. remain subject to a jigsaw puzzle of 46 different
state laws.

At present, only Alabama, Kentucky, New Mexico and South Dakota lack a
notification law. And even New Mexico and Kentucky are considering dipping
their toes in these waters, albeit more reluctantly on the part of Kentucky
(since its law would only cover state agencies, not businesses). This
thicket of state laws is a huge ordeal for businesses, since the
notification triggers, timing and notice content requirements can vary
widely.

So is an all-encompassing national data breach notification law merely a
quixotic quest? In January 2014, for the fifth time since 2005, Senator
Patrick Leahy (D-VT) introduced legislation entitled the Personal Data
Privacy and Security Act. The main provisions of the 2014 version of the
PDPSA include:

- applies to businesses that compile, access or process information on
10,000 or more U.S. individuals;
- notice after a security breach must be made to affected individuals
within 60 days of discovery;
- media notice is required if 5,000 or more individuals in any one state
are affected;
- notice need not be provided if the entity determines that there is no
significant risk of harm or fraud to individuals (but the FTC must concur
with the risk assessment);
- the Act does not preempt the rights of states to provide for state
specific additional victim protection information to be provided in the
notice; and
notice to federal law enforcement is required under various thresholds.

While you have to admire Sen. Leahy's persistence, it's not hard to see
some problems with the proposed legislation. The risk assessment provision
alone looks like it could be a particular morass. The fact that a
government agency must concur with any risk assessment inevitably will lead
to confusion, delay and uncertainty on whether notification is required for
a particular breach.

Moreover, since the law does not 100% preempt state data breach
notification laws, but leaves in some of the notice content requirements,
businesses will still have to apply the notification laws of the various
states. In other words, the PDPSA could potentially make it even harder for
businesses. Not to mention the multi-tiered approach to notifications,
including possible media notice and law enforcement notice.

Senator Tom Carper (D-Del.) has also introduced national data breach
legislation. Carper's bill, the Data Security Act of 2014 (DSA), includes
some key differences from Sen. Leahy's competing bill. The DSA would
completely preempt state data breach notification laws. Additionally, the
DSA is broader, as it would apply to any entity that maintains or
communicates sensitive account or personal information.

Under the DSA, consumer notification is required if the sensitive
information "is reasonably likely to be misused in a manner causing
substantial harm or inconvenience to the consumers to whom the information
relates." Substantial harm includes not only material financial loss to the
consumer, but also "significant time and effort" by the consumer to correct
erroneous credit information. This last prong seems to open a can of worms
regarding consumer inconvenience.

So where do these proposed national data breach laws now stand? - mired in
committee.  Leahy's bill is with the Senate Judiciary Committee, which he
chairs. In the meantime, Carper's bill has been assigned to the Senate
Banking, Housing and Urban Affairs Committee.

In fact, it is the different legislative fiefdoms which are part of the
problem. There are too many congressional committees claiming jurisdiction
over cyber security and data breach issues. Another data breach bill,
sponsored by Sen. Pat Tommey (R-PA) back in 2013, is before the Senate's
Commerce Committee. Without a singular focus at the committee level, it is
hard for a particular bill to gain traction.

In addition to congressional dysfunction, other roadblocks to national
legislation include competing interest groups. Consumer groups are
concerned that an all-encompassing federal law could be watered down in the
legislative process and end up weaker than some of the existing state laws.
On the other hand, business interests are looking to minimize costs
associated with data breaches, and therefore seek to limit the
circumstances where notification is required, such as only when there is
clearly a risk of theft or fraud to a consumer.

So despite recent well-publicized data breaches, and even urging by U.S.
Attorney General Eric Holder for a strong national breach notification law,
it seems unlikely that Congress will pass a data breach law in the
foreseeable future. In the meantime, businesses will continue to grapple
with the complexities of the numerous state laws, while at the same time
trying to ward off the persistent threat of hackers, criminals and careless
employees.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!