SIIA pushes for national security-breach notification standard

Computerworld - The Software & Information Industry Association (SIIA), a leading industry trade group, is renewing its call for a national security-breach notification standard to replace the slew of state laws that companies are currently required to comply with.
Such a law would require the U.S. Congress to establish a "meaningful threshold for breach notification" to avoid the problem of overnotification, Mark Bohannon, the SIIA's general counsel and senior vice president, said Wednesday in testimony before the House Subcommittee on Financial Institutions and Consumer Credit.
Bohannon was testifying in connection with a bipartisan proposal called the Financial Data Protection Act or H.R. 3997, which is now before the House Financial Services Committee. The proposed bill was introduced last month and is designed to help consumers by requiring companies that handle their personal information to take steps to protect that data and to notify them in the case of a security breach.
In his testimony, Bohannon said that the goals and objectives of the proposed bill are consistent with the SIIA's position on the need for a national disclosure law.
"With more than twenty-one states having already enacted data security and breach notification laws, a national standard is needed to avoid confusion to consumers, businesses and the appropriate enforcement authorities," Bohannon said in a statement posted on the SIAA's Web site today.
But further amendments are needed to make the bill more effective for consumers and financial institutions, he said. The proposed bill, for instance, includes "several thresholds" for breach notification that could lead to confusion, consumer frustration and overnotification, he said. Instead what is needed is a notification standard that requires companies to disclose breaches only if there is a reasonable belief that sensitive personal financial information is at significant risk of identity theft, he said.
Bohannon also called for greater clarity on the definition of "sensitive personal information" for the purposes of breach notification and recommended that the definition exclude information that is otherwise available from public sources.
The SIIA's testimony comes amid some concerns that national disclosure laws -- which would override tougher state laws -- would be full of loopholes that would allow companies to avoid breach notifications.
One example is a proposed bill called the Data Accountability and Trust Act (DATA), or H.R. 4127, that won approval recently by a subcommittee of the House Energy and Commerce Committee. Like H.R. 3997, the DATA bill seeks to set a national standard for security breach notifications. But since it would require companies to inform consumers of data breaches only ifthey believed that a significant risk of fraud exists, the bill is seen as too vague to be effective.
Some critics support the need for a minimum breach disclosure standard and said that without it, companies could be required to disclose even breaches that involve no risk of fraud.
Disclosure laws such as those in California, for instance, use a so-called acquisition standard that requires companies to notify consumers each time their data is acquired by an unauthorized person, said an analyst at a New York-based insurance company who requested anonymity. That sort of trigger has resulted in an onslaught of notifications and has created a "ludicrous situation," he said.