U.S. Data Breach Notification Law Unlikely in 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/us-data-breach-notification-law-unlikely-in-2014-a-7453

Despite President Obama's urgent call to lawmakers to enact a national data
breach notification law, such legislation will not likely be voted upon
before the current Congress recesses.

Obama, in signing an executive order to promote speedy adoption of
chip-and-PIN credit cards at ceremony held Oct. 17 at the Consumer
Financial Protection Bureau, called on Congress "to act with urgency on
data breach legislation" because of a slew of recent high-profile data
breaches (see Obama Seeks to Speed EMV Adoption).

"And even though I'm taking action today without Congress, Congress needs
to do its part, as well," Obama said. "Today, data breaches are handled by
dozens of separate state laws, and it's time to have one clear national
standard that brings certainty to businesses and keeps consumers safe."

But despite the president's call and growing interest in Congress in
enacting a national data breach notification law, no such bill has reached
either the Senate or House floors in the current Congress. People familiar
with the legislative process point out that business groups and consumer
advocates with allies in Congress cannot agree on key provisions of data
breach notification measures. Generally, businesses want less stringent
data breach notification rules than do consumer advocates.

'Inaction Is Remarkable'

"In some ways the inaction is remarkable," says Peter Swire, senior fellow
at the Future of Privacy Forum and professor at Georgia Tech's Scheller
College of Business. "We had spectacular data breaches involving tens of
millions of consumers, and even that is not enough to prompt Congress into
action."

In the last four Congresses, the Senate Judiciary Committee has approved
bipartisan data breach notification legislation, although none of the bills
ever came up for a vote. But chances of that happening again in the current
113th Congress is diminishing.

Sen. Patrick Leahy, the Vermont Democrat who chairs the Judiciary
Committee, has again sponsored a notification bill, but he's putting that
measure on the back burner to push for Senate passage of another of his
bills, the USA Freedom Act, which would rein-in the National Security
Agency's bulk-collection program, a Senate senior staffer says.

"There's limited floor time, and the Judiciary chairman has to pick his
spot," Swire says.

The Senate staffer says Leahy is working with the Judiciary Committee's
ranking Republican member, Chuck Grassley of Iowa, to develop a bipartisan
bill, but adds that it's unlikely that such a measure would be introduced
in the current Congress. If Republicans take control of the 114th Congress,
which begins on Jan. 3, Leahy no longer will be the panel's chairman, and
his influence over legislation would be diminished.

Even without congressional action, data breach notification is regulated in
most of the United States, but on a state-by-state basis; 47 states have
enacted data breach notification laws (see States Advance Breach
Notification Laws). But each state statute differs from the others. Many
business groups would prefer to see a single, national statute to cut down
on the paperwork involved in reporting data breaches.

Lots of Work

"It's a lot of work trying to address all the different requirements of
each of the different states, the scope is different, the coverage is
different, the requirements are different," says IT security and privacy
lawyer Francoise Gilbert of the IT Law Group.

Still, just having a national bill doesn't solve the problem if lawmakers
can't agree on the content of the legislation.

An analysis of four data breach notification bills before the Senate
conducted this past week by the law firm King Spalding shows a big
difference on requirements on timing of notification.

According to the analysis, the Leahy bill would require businesses that
experience a data breach to notify individuals within 60 days or obtain
approval from the Federal Trade Commission for a longer notification
period. Legislation sponsored by Senate Commerce Committee Chairman Jay
Rockefeller, D-W.Va., would require notification to affected individuals
within 30 days. The measure championed by Sen. Richard Blumenthal, D-Conn.,
would require notification "without unreasonable delay." Legislation backed
by Senate Homeland Security and Governmental Affairs Committee Chairman Tom
Carper, D.-Del., doesn't specify a time, but leaves that up to regulators,
as long as it's done quickly.

Not all situations are covered in each of the bills. For example, the
King-Spalding analysis shows that the Leahy bill generally would require
that notifications describe the personally identifiable information that
was breached, provide a toll-free number to contact the business regarding
the personally identifiable information it maintains and provide a
toll-free number and address for the major credit reporting agencies.

The Blumenthal bill would adopt these requirements and adds disclosures of
the telephone numbers and website addresses for "relevant federal agencies
that provide information regarding identity theft prevention and
protection." Rockefeller's bill would add a provision requiring disclosure
of the right to obtain consumer credit reports and the FTC telephone number
and website address for information about identity theft. Carper's bill
would require that notices describe the information at risk, the actions
taken to address the breach and the consumers' rights under the Fair Credit
Reporting Act to place a security freeze on their accounts.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!