Critics hit proposed data breach notification law as ineffective
If enacted, it would override tougher laws at the state level
November 10, 2005 12:00 PM ETComputerworld -
A proposed nationwide law that would require companies to notify consumers of data breaches involving their confidential information is being criticized by some security experts as being too ambiguous to be effective.
The proposed Data Accountability and Trust Act (DATA), or H.R. 4127, was approved by a 13-8 vote along partisan lines by a subcommittee of the Energy and Commerce Committee on Nov. 3.
The bill was written by Rep. Cliff Stearns (R-Fla.) chairman of the subcommittee and now goes to the full Energy and Commerce Committee for further consideration.
In broad terms, the proposed law is similar to California's Database Breach Notification Act and similar laws in other states because it requires companies to notify consumers of security lapses involving their private data. It would also require information brokers to inform the U.S. Federal Trade Commission about plans for safeguarding private data and to submit to periodic security audits by the FTC in the event of a breach. The FTC would be responsible for enforcing the new law,
If approved, the measure would override state laws such as the one in California and would serve as a national breach-notification mandate.
While there have been calls for such a national law, the biggest problem with H.R. 4127 is that it requires companies to inform consumers of breaches only if they believe a significant risk of fraud exists, said Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.
That could allow companies to avoid reporting certain breaches of customer data that some state laws currently require them to report, he said.
"I believe that 98% of the time companies are not going to disclose breaches" if the law goes into effect, Paller said. "Only 2% are going to be good citizens and report breaches" if there is nothing to suggest imminent fraud, he said.
"It will be the absolute decimation of the impact of the California [law]," he said. "This is corporate lobbying at its worst."
What makes it likely that companies will choose not to report some breaches if the bill becomes law is the fact that it is often next to impossible to link cases of identity theft and fraud with a specific security breach, said Christopher Pierson, a lawyer with Lewis and Roca LLP in Phoenix. "By including this language about significant risk, the bill will leave it entirely up to the companies themselves" to decide when to report a breach, Pierson said. In contrast, "California's SB 1386 empowers people to
Legislation/Regulation
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Oracle Accelerate - Not Just Smart but Timely
Download Now!
Data in Action: Making the Planet Smarter
Register Now
Why BI is Ripe - Now! - For Businesses of Any Size
Download Now!
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Rapid Implementation: The New Age of ERP
Download Now!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

