Federal data-protection law inches forward
The Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee
Computerworld - A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee.
The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration.
If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.
Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while it is in transit and at rest.
The bill would introduce a federal breach-notification standard under which companies would be required to notify not just individuals affected by a data breach, but also, in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.
The law would also provide notification exemptions for companies that have taken adequate measures -- such as encryption -- to protect sensitive data. Companies would also not be required to immediately disclose a breach if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.
If approved, S.1490 would likely preempt similar data-protection laws that have already been passed in 46 states. Many security analysts have been calling for such a federal bill, arguing that it would be easier for companies to comply with one national law rather than a patchwork of 46 state laws.
Several attempts at passing similar federal legislation over the past three years have failed, however, and it remains unclear whether S.1490's fate will be any different. Growing concerns related to identity theft and the criminalization of cyberspace have added an element of urgency to the bill.
Even so, the bill includes provisions that are unnecessary and burdensome, said John Pescatore, an analyst at research firm Gartner Inc. in Stamford, Conn.
"A federal-level disclosure law to make sure affected individuals are notified would be a very good thing, mostly to stop the growth of individual state laws with differing requirements," he said. But the provisions in S.1490 that would require breached entities to report to the government "will create an entire new set of bureaucracy within the U.S. Secret Service and the FTC," Pescatore said.
The bill's overly prescriptive language on the security controls that companies need to institute in order to protect sensitive data is also likely to result in pushback from industry, he said. "I think we have started to already see in the health care bill a lot of pushback" over similar legislation, and the same thing is likely to happen with this bill, Pescatore said. Such concerns could once again derail data protection legislation, he added.
"Congress should really just focus on a national disclosure law that states cannot preempt," he said. "That would bring value to both the people whose identities are being stolen and the businesses which need to be driven harder to protect it."
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said there was "very, very high probability" that the bill could pass muster in Congress this time.
What makes the bill fair is that it gives companies some discretion in deciding whether to publicly disclose a data breach. At the same time, companies that choose not to publicly announce a breach will first need to notify the Secret Service to ensure that companies don't invoke the exception without reason, Paller said. It's a "very cool way to keep the program balanced," he said.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts