Early last month, Sens. Mark Pryor, D-Ark., and John Rockefeller, D-W.Va., showcased their breach notification bill, which would require organizations to notify victims of data loss within 60 days, as well as give them two years of credit monitoring services. They'd also need to establish policies and procedures to safeguard data.
This is one of many federal breach notification bills making its way through Congress. Recently re-introduced, the Data Security Act of 2010 from Sens. Tom Carper, D-Del., and Bob Bennett, R-Utah, would require companies and federal agencies which handle sensitive information – from government agencies to retailers to data brokers – to notify consumers of potential risks of account fraud or identity theft. It also would require these entities to have in place measures to protect consumer data, and make moves to investigate breaches when they occur. Another is Senate Bill 139, sponsored by California Sen. Dianne Feinstein, which would apply to businesses and federal agencies using or storing the personally identifiable information of consumers. It too calls for breach notification.
Over the years, none of the proposed laws on the federal level have been passed, much to the chagrin of many information security practitioners and industry experts. An over-arching law that would supersede myriad requirements across the current 46 state laws undoubtedly would make worklife much easier for a lot of CSOs.But, hurdles still pop up. Not only does Congress have other priorities on their plates, such as the war in Afghanistan or the Gulf spill, its members also are having a hard time agreeing to the terms of a federal data breach notification law. When should a breach be reported? Should such a law apply to federal agencies? What are the proper security measures and policies companies should have in place?
The list goes on. Yet another consideration that one often doesn't hear about, though, is just how breach notification is to be enforced.
The Identity Theft Resource Center (ITRC) states that many data exposures are underreported despite the existence of strict state laws. One example the group called out in a BankInfoSecurity.com news item was a New York list of data breaches made public this year, which cited more than 200 breaches that had not been reported to news media. Lackadaisical reporting not only compounds these victims' privacy problems, but also helps cybercriminals launch the same attacks on other businesses, according to the ITRC.
Even with state laws, a slew of victims have been left unaware because reporting isn't happening. Not only are the privacy problems compounded for these victims, but this lack of reporting is helping cybercriminals continue the same types of attacks on other businesses, according to experts at the ITRC. Further, law enforcement is kept unaware.
What would keep these issues at bay with the passage of a federal law? Enforcement is vital and seems a topic of debate that must be explored. A federal breach notification law will mean little if organizations are not held accountable when they shirk their responsibility as trusted shepherds of customers' personal data. And the thieves causing all these problems in the first place? Well, that's a topic for another column.
Illena Armstrong is editor-in-chief of SC Magazine.
