Bill Requiring Notice of Breaches Goes Forward

Critics say measure isn't hard enough on companies that lose customer data

A proposed federal law that would require companies to notify consumers of data breaches involving their confidential information is being criticized by some security analysts as too ambiguous to be really effective.

The Data Accountability and Trust Act, or DATA, was approved on Nov. 3 by a 13-8 vote along party lines by a House of Representatives subcommittee that's responsible for commerce, trade and consumer protection. A nearly identical bill is under consideration in the Senate. If it becomes law, DATA would override state mandates such as California's SB 1386 Database Breach Notification Act.

In addition to the notification requirements, the proposed bill would require information brokers that collect and sell personal data to notify the Federal Trade Commission about their plans for safeguarding the information they maintain. They also would have to submit to periodic security audits by the FTC in the event of a breach.

While such a national law is needed, the biggest problem with DATA is that it would require companies to inform consumers of data breaches only if they think there's a significant risk of fraud, said Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.

That would leave an opening for many companies to avoid reporting breaches involving the loss of customer data, as they are required to do under some state laws, Paller said. "I believe that 98% of the time companies are not going to disclose breaches" if they aren't required to, Paller said. "Only 2% are going to be good citizens. It will be the absolute decimation of the impact of the California bill."

What makes such a scenario likely is the fact that often it is next to impossible to link cases of identity theft and fraud back to a specific security breach, said Christopher Pierson, a lawyer at Lewis and Roca LLP in Phoenix.

"By including this language about significant risk, the bill will leave it entirely up to the companies themselves" to decide whether to report a breach, Pierson said.

Some companies would no doubt take advantage of the bill's wording, conceded an internal financial analyst at a New York-based insurer. Even so, there is an overdue need for some sort of minimum threshold that would have to be crossed before companies are required to disclose security breaches, said the analyst, who requested anonymity.

Disclosure laws such as the one in California use a so-called acquisition standard that requires companies to notify consumers each time their data falls into the hands of an unauthorized person, he said. That sort of a trigger, he added, has resulted in an onslaught of notifications, creating "a ludicrous situation" for companies.

DATA also contains ambiguities. For example, Pierson said that the bill, as proposed, doesn't specify a time period within which a company must disclose a data breach to its customers.

In addition, the bill specifies that companies must have policies and procedures for protecting consumer data but doesn't explicitly call for any controls, said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif.

As with most legislation, DATA has good and bad elements, said Gartner Inc. analyst John Pescatore. Strengthening the FTC's enforcement capabilities would be a positive step, he said. And raising the bar for disclosing breaches isn't automatically a bad thing, according to Pescatore. He seconded the idea that existing laws have produced a "disclosure overload," with companies being forced to admit to every security incident involving customer data.

Despite his overall concerns about the bill, Pierson praised a provision that would exempt companies from reporting breaches if they have encrypted sensitive data. The proposed law is also very explicit about the consumer notification process and what information needs to be included in such notices, he said.

DATA, officially known as H.R. 4127, was authored by Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee that approved the measure. The legislation next goes to the full House Energy and Commerce Committee for further consideration.


The Data Accountability And Trust Act

Would require companies to notify individuals affected by security breaches if there is reason to believe that their personal information is at significant risk of being used for fraud.

Would be enforced by the FTC.

Would require information brokers to submit data security policies to the FTC every year and to undergo audits by the agency for up to five years if they are hit by a breach.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon