Seeking Compromise on Data Breach Notice Bill

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/seeking-compromise-on-data-breach-notice-bill-a-8012

A draft bill circulating in Congress to create national requirements for
data breach notification could be the vehicle used to win political support
for a compromise from lawmakers supporting the divergent interests of the
business community and privacy advocates.

"This needs work, this needs tinkering, but this might be what a compromise
bill looks like," Lisa Sotto, a privacy and cybersecurity law partner at
Hunton & Williams, says after reviewing the draft of the Data Security and
Breach Notification Act of 2015.

Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt. began circulating
the discussion draft of the legislation on March 12. If enacted, the bill
would usurp 47 state data breach notification laws with a single federal
statute. The House Energy and Commerce Subcommittee on Commerce,
Manufacturing and Trade will hold a hearing March 18 on the proposed
legislation.

Welch says he expects changes will be made to the draft before it comes up
for a vote. "While this draft bill is far from perfect, it is an important
step in the right direction," he says, adding that he will work with his
colleagues "to make practical improvements to it as it works its way
through the legislative process."

Privacy Protections Questioned

Still, not every lawmaker is on board. Two senior Democrats on the House
Energy and Commerce Committee - Reps. Frank Pallone of New Jersey and Jan
Schakowsky of Illinois - have expressed disappointment in the legislation.
"We have numerous concerns about the weakening of consumer protections
overall, as well as the dilution of protections for customers of
telecommunications and cable services," the lawmakers say in a statement.
"We will continue to work for legislation that provides the strongest
possible safeguards and protections for American consumers." The two
representatives did not specify explicit provisions in the bill they found
objectionable.

But data privacy and security lawyer Françoise Gilbert of the IT Law Group
says the measure would eliminate some of the privacy protections provided
by state data breach laws. "I see mostly weaknesses," Gilbert says the
draft legislation. "The scope of coverage is limited, the requirements are
limited, the rights of the individuals are limited and the definitions are
so vague that companies will continue to struggle in trying to implement
the requirements."

Differing Definitions of What Constitutes PII

Gilbert points out that California's data breach disclosure law, one of the
toughest in the nation, explicitly cites user identification or an email
address when coupled with a password as being considered personally
identifiable information when used to access an online account, something
the draft bill doesn't provide.

A provision in the draft bill states that a combination of user name and
password would be considered PII if it's required to be used by an
individual "to obtain money, or purchase goods, services or any other thing
of value." It doesn't say the combination of user name and password are
deemed as PII if they're used to gain access to an online account for
nonfinancial purposes.

However, Sotto says the term "any other thing of value" in the draft bill
is amorphous and might be interpreted to include reputation - something she
says privacy advocates would like.

No Safeguards for Paper Records

Some state laws extend breach notification requirements to non-digital
documents, but the draft legislation does not cover paper records.
Enactment of the draft measure would void those paper-document protections.
"Think, for example of the numerous reports of individuals who discover
boxes full of account's record - tax returns and related information -
unshredded in landfills," Gilbert says.

Still, the main thrust of the bill is to establish a single, national data
breach notification law. Business groups complain that it's costly to
comply with more than four dozen laws, a point with which President Obama
agrees.

The draft bill also would require the notification of a breach only if a
"reasonable risk" exists that the security incident would result in
identity theft, economic harm or financial fraud to individuals whose
information was exposed. Business groups generally favor such narrow
notification rules; privacy advocates mostly dislike such a provision.

Sotto says the draft legislation, if enacted, also would void Massachusetts
regulations that require businesses to adhere to prescriptive security
measures.

Requiring 'Reasonable' Security Measures

Sponsors Blackburn and Welch say their bill would for the first time set a
national standard for businesses and not-for-profit organizations to
implement and maintain "reasonable security measures and practices" to
protect and secure personal information, though the legislation doesn't
prescribe specific measures and practices.

The draft bill gives the Federal Trade Commission and states' attorneys
general the authority to enforce the law. Each violation would be subject
to a fine of up to $2.5 million. Organizations that must comply with the
Health Insurance Portability and Accountability Act's breach notification
requirements would be exempt for the draft legislation.

Among the provisions regarding breach notification, the draft legislation
would require organizations to conduct a good faith investigation after
discovering a breach to determine if there is a reasonable risk of identity
theft, economic loss or harm or financial fraud.

30 Days to Notify

The bill also would require notification to consumers no later than 30 days
after the organization has taken "necessary measures" to determine the
scope of the breach and restored the reasonable integrity, security and
confidentiality of the data systems.

State laws vary on when organizations must notify consumers of a breach;
many simply state that notification must be made in a reasonable amount of
time; others have specific time limits.

Even the requirement of notifying consumers after fixing a breach won't be
easy for many businesses to implement, Sotto says. "It's hard for companies
to notify 30 days after they've taken reasonable measures because they
still have to parse the data of sometimes many, many hundreds of thousands
of people, to figure out where they are and how to notify them," she says.
"But it seems to be a reasonable compromise."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!