Federal data-protection law inches forward
The Personal Data Privacy and Security Act was approved by the Senate Judiciary Committee
Computerworld - A sweeping new bill that would implement a national standard for data protection and breach notification got a boost of support today from the Senate Judiciary Committee.
The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill is now headed to the full Senate for consideration.
If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.
Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while it is in transit and at rest.
The bill would introduce a federal breach-notification standard under which companies would be required to notify not just individuals affected by a data breach, but also, in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.
The law would also provide notification exemptions for companies that have taken adequate measures -- such as encryption -- to protect sensitive data. Companies would also not be required to immediately disclose a breach if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.
If approved, S.1490 would likely preempt similar data-protection laws that have already been passed in 46 states. Many security analysts have been calling for such a federal bill, arguing that it would be easier for companies to comply with one national law rather than a patchwork of 46 state laws.
Several attempts at passing similar federal legislation over the past three years have failed, however, and it remains unclear whether S.1490's fate will be any different. Growing concerns related to identity theft and the criminalization of cyberspace have added an element of urgency to the bill.
Even so, the bill includes provisions that are unnecessary and burdensome, said John Pescatore, an analyst at research firm Gartner Inc. in Stamford, Conn.
"A federal-level disclosure law to make sure affected individuals are notified would be a very good thing, mostly to stop the growth of individual state laws with differing requirements," he said. But the provisions in S.1490 that would require breached entities to report to the government "will create an entire new set of bureaucracy within the U.S. Secret Service and the FTC," Pescatore said.
The bill's overly prescriptive language on the security controls that companies need to institute in order to protect sensitive data is also likely to result in pushback from industry, he said. "I think we have started to already see in the health care bill a lot of pushback" over similar legislation, and the same thing is likely to happen with this bill, Pescatore said. Such concerns could once again derail data protection legislation, he added.
"Congress should really just focus on a national disclosure law that states cannot preempt," he said. "That would bring value to both the people whose identities are being stolen and the businesses which need to be driven harder to protect it."
Alan Paller, director of research at the SANS Institute in Bethesda, Md., said there was "very, very high probability" that the bill could pass muster in Congress this time.
What makes the bill fair is that it gives companies some discretion in deciding whether to publicly disclose a data breach. At the same time, companies that choose not to publicly announce a breach will first need to notify the Secret Service to ensure that companies don't invoke the exception without reason, Paller said. It's a "very cool way to keep the program balanced," he said.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts