Critics hit proposed data breach notification law as ineffective

Computerworld - A proposed nationwide law that would require companies to notify consumers of data breaches involving their confidential information is being criticized by some security experts as being too ambiguous to be effective.
The proposed Data Accountability and Trust Act (DATA), or H.R. 4127, was approved by a 13-8 vote along partisan lines by a subcommittee of the Energy and Commerce Committee on Nov. 3.
The bill was written by Rep. Cliff Stearns (R-Fla.) chairman of the subcommittee and now goes to the full Energy and Commerce Committee for further consideration.
In broad terms, the proposed law is similar to California's Database Breach Notification Act and similar laws in other states because it requires companies to notify consumers of security lapses involving their private data. It would also require information brokers to inform the U.S. Federal Trade Commission about plans for safeguarding private data and to submit to periodic security audits by the FTC in the event of a breach. The FTC would be responsible for enforcing the new law,
If approved, the measure would override state laws such as the one in California and would serve as a national breach-notification mandate.
While there have been calls for such a national law, the biggest problem with H.R. 4127 is that it requires companies to inform consumers of breaches only if they believe a significant risk of fraud exists, said Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.
That could allow companies to avoid reporting certain breaches of customer data that some state laws currently require them to report, he said.
"I believe that 98% of the time companies are not going to disclose breaches" if the law goes into effect, Paller said. "Only 2% are going to be good citizens and report breaches" if there is nothing to suggest imminent fraud, he said.
"It will be the absolute decimation of the impact of the California [law]," he said. "This is corporate lobbying at its worst."
What makes it likely that companies will choose not to report some breaches if the bill becomes law is the fact that it is often next to impossible to link cases of identity theft and fraud with a specific security breach, said Christopher Pierson, a lawyer with Lewis and Roca LLP in Phoenix. "By including this language about significant risk, the bill will leave it entirely up to the companies themselves" to decide when to report a breach, Pierson said. In contrast, "California's SB 1386 empowers people to