Jun 25, 2012 (09:06 AM EDT)
Senators Float National Data Breach Law, Take Four

Read the Original Article at InformationWeek

Senate Republicans have introduced draft legislation aimed at creating a single national standard for reporting data breaches.

Dubbed the Data Security and Breach Notification Act of 2012 (S.3333), the legislation was introduced Thursday by Sen. Pat Toomey (R-Pa.). Other backers of the bill include Sens. Olympia Snowe (R-Maine), Jim DeMint (R-S.C.), Roy Blunt (R-Mo.), and Dean Heller (R-Nev.).

The draft bill would also require businesses and government agencies to "take reasonable measures to protect and secure data in electronic form containing personal information." The Federal Trade Commission would enforce the legislation, and could fine organizations that violated the law up to $500,000 per incident.

"This is at least the fourth attempt at passing national legislation in the U.S. to consolidate the more than 40 different state laws currently in place. A single law will simplify compliance and ensure a more uniform notification process when a breach occurs," said Chester Wisniewski, a senior security advisor at Sophos Canada in a blog post.

[ Read about some of this year's biggest data breaches. See 6 Biggest Breaches Of 2012. ]

"Some Republicans in Congress have expressed support for something like the Data Security Act because they prefer a singular, national standard rather than differing state laws," reported The Hill. The bill would override any data breach legislation currently on the books at the state level.

The new bill proposes multiple thresholds for reporting breaches. First, an organization would have to report a breach only if it "reasonably believes [the breach] has caused or will cause identity theft or other financial harm." Also, if the number of records involved total 10,000 or more people, the organization would need to notify the FBI and Secret Service. Any organization that stored data with a third party would face similar requirements for reporting data breaches once they'd been alerted to the breach by the third party. However, breach notifications could be delayed at the request of federal law enforcement agencies when they'd impede an investigation, and they could be delayed indefinitely for national security purposes.

Under the bill, affected U.S. citizens and residents could be notified in one of three ways: by a letter to their postal address, a phone call, or an email. However, email may be a poor choice for attempting to connect with customers. In the recent LinkedIn password breach, for example, many users and customers of the social networking site mistook for spam email alerts about the breach requesting that they reset their passwords.

In cases where such notifications would incur "excessive cost," or when breached organizations don't have a person's contact details, they'd instead be allowed to post a "conspicuous notice" on their website, or to run notifications via print and broadcast media, in areas where people affected by the data breach are located.

Today, all 50 states effectively require that businesses notify their residents when their personal information may have been breached. Most laws are modeled on California's data breach notification law, SB 1386, which went into effect in 2003, that requires any business or agency that suffers a data breach to notify all affected residents of California.

Under various states' laws, however, there can be some important caveats. For example, breaches involving medical information may need to be reported only to a government agency and not otherwise publicly announced.

Companies are keenly aware of data breach notification requirements, and this has led some businesses to store customer data in countries with weak notification laws. On the up side, however, board-level awareness of the threat of data breaches finally became widespread in 2011, after hacktivist groups such as Anonymous and LulzSec targeted businesses and government agencies not for the financial payoff possibilities of their customer information, but simply because they didn't like the organizations.

So how does the Senate's attempt at a national data breach law stack up? For starters, it's unclear what would constitute "reasonable measures," as the bill requires. "What's 'reasonable?' asks a blog post by the administrator of DataBreaches.net, a privacy advocate and data breach information blogger who publishes under the handle "Dissent."

"Although we don't want a bill that would need revision every time new security measures become available, is it really 'reasonable' in today's world to consider unsalted MD5 'reasonable' security?" he said. "How should a data security requirement be written to set the right standard without getting into specific methods?"

Furthermore, the bill is noticeably weaker than laws that are already in effect in many states. According to privacy attorney Kimberly M. Wong at law firm Baker Hostetler, for example, Connecticut--a state that is "in the forefront in protecting the personal information of its residents"--now requires a data breach notification to be made whenever there's a "breach of security." The state's data breach notification law defines such a breach as the "unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."

In other words, the Senate bill would compromise the state-afforded data breach notification protections currently enjoyed by many U.S. citizens and residents. "This bill might benefit businesses, but it certainly doesn't help consumers who live in states with strong laws," said "Dissent" at DataBreaches.net.

InformationWeek is conducting a survey on risk and security in the cloud. Take our InformationWeek 2012 Cloud Security and Risk Survey now. Survey ends June 29.