Congress Explores National Data Breach Notifications

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-management.com/news/Congress-President-Obama-National-Data-Breach-law-10026473-1.html

Congress held its first hearing on President Obama’s proposal for a
national breach notification standard on January 27. Testimony primarily
from retail and technology trade associations supported much of the plan,
but support was lacking for the provision to notify individuals within 30
days of discovering a breach.

In testimony before the House Energy & Commerce subcommittee on commerce,
manufacturing and trade, The Computing Technology Industry Association
(CompTIA) and the Retail Industry Leaders Association (RILA) both bemoaned
the 51 state and territorial breach notification rules in effect and
strongly supported a national notification standard.

“Strong preemption is necessary to ensure that a federal law is not the
fifty-second data breach law with which retailers must comply,” said Brian
Dodge, executive vice president at RILA. “Similarly, a federal law should
not include regulatory authority to allow the Federal Trade Commission to
change notification rules, which will undercut the goal of creating a
single and predictable national breach notification standard.”

President Obama’s proposal offers three exceptions to a 30-day notification
requirement: to accommodate law enforcement or national security purposes,
or businesses may seek additional time from the FTC.

Neither association specifically mentioned the 30-day notification period,
which is half the 60 days currently granted for healthcare entities under
the HIPAA law. Rather, they suggested broader periods in which to start the
notification process.

“When a breach is discovered, one of the first things a company must do is
to conduct a risk assessment to determine the type of data that has been
accessed and the risk that potential fraudulent use of the data could
entail,” testified Elizabeth Hyman, an executive vice president of public
advocacy at CompTIA. “This risk assessment is a vital component to a
company’s data breach response, and, depending upon the seriousness of the
breach, may take some time to complete. We therefore ask that a federal
standard ‘starts the clock’ on a notification requirement only after the
risk assessment has been completed.”

Retailers appear to want an open timetable for notification. “The timeframe
should be triggered by the confirmation of a breach and bound by the time
it takes to investigate and verify facts, as fact-based notification
provides customers with proper information through which to determine what
action to take,” Dodge of RILA testified.

Notification, Dodge added, should be provided upon reasonable belief that a
breach has or will result in identity theft, economic loss or harm. Both
associations warned against notifying customers of every type of breach as
they will become less likely to pay attention to the notices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!