July 01, 2011
Debate

Debate: A federal breach notification law should replace existing state laws.

FOR

David Seltzer, South Florida criminal defense attorney who specializes in cybercrimes

Federal legislation resolving the various state laws and issues is a good thing, so long as it does not overstep boundaries by interfering with business practices or operations. Currently, various states have different regulations and notice provisions, which can be a compliance nightmare for corporations. In unifying these regulations, corporations will have a better set of instructions as to how they must deal with security breaches. Corporations often do not want to disclose breaches because the negative publicity can affect their bottom line and indicate a weakness in their infrastructure. From a consumer point of view, a federal data breach law is necessary to avoid delays in the disclosure of breaches. Delayed disclosures lead to damages or identity theft for the consumer. Federal guidelines for immediate disclosure and notification, with hefty fines or criminal sanctions for noncompliance, should deter another Sony situation, in which disclosure was delayed.

AGAINST

Neal O'Farrell, executive director, The Identity Theft Council

While a single national data breach law is a good thing, President Obama's version is barely a good start. I can't tell if this law is designed to protect data breach victims or to protect breached entities from serious consequences. Worse than just a slap on the wrist, it is almost a pat on the back. As written, the bill would provide a $1 million cap on civil liabilities, exclude email addresses under the definition of personal information, allow breached entities to decide whether victims are harmed, and provide a 60- to 90-day gap before notification would be required.

I can't see any reason why a cap on civil liabilities should be included in such a bill, unless it is to appease industry. Email addresses should not be excluded, because they are still powerful information. And breached entities should never get to decide whether victims are harmed or not – harm is in the mind, or wallet, of the victim. Plus, 60 to 90 days is too long for notification.

From the July 2011 Issue of SCMagazine »
Related Articles
Related Topics

More in Features

Behind the scenes: Privacy and data-mining

Behind the scenes: Privacy and data-mining

With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.

The great divide: Reforming the CFAA

The great divide: Reforming the CFAA

Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.