House Panel OK's National Breach Notification Bill

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.bankinfosecurity.com/breach-bill-gets-qualified-support-a-8734

The House Financial Services Committee, by a 46-9 vote, approved on Dec. 9
the Data Security Act of 2015, which would establish minimum security
protections at businesses as well as create a national requirement for data
breach notification <http://www.bankinfosecurity.com/notification-c-327>.

HR 2205 would supplant 47 state laws with a single, national breach
notification statute. Businesses generally support a single law because
they contend it's burdensome to comply with various state laws.

During the panel's Dec. 8 debate on the legislation, Committee Chairman Jeb
Hensarling, R-Texas, pointed out that the House Energy and Commerce
Committee approved in April a similar bill, the Data Security and Breach
Notification Act, so both panels would need to negotiate a final measure to
present to the full House (see *National Data Breach Notification Bill
Advances
<http://www.bankinfosecurity.com/national-data-breach-notification-bill-advances-a-8109>*).
"This is really the beginning of the process," Hensarling said.
Bill's Provisions

The legislation <http://www.bankinfosecurity.com/legislation-c-191> would
establish a security regime its sponsors contend would secure sensitive
financial account information and nonpublic personally identifiable
information. The measure specifically identifies security controls
organizations should adopt, including those involving access
<http://www.bankinfosecurity.com/id-access-management-c-210> controls and
restrictions, use of encryption
<http://www.bankinfosecurity.com/encryption-c-209> of sensitive information
and monitoring systems. The bill also directs businesses to require their
third-party service providers to implement appropriate safeguards for
sensitive information.

Several members said the legislation's processes could be better defined.
One member, Rep. Denny Heck, D-Wash., complained that the legislation
strips states' insurance commissioners, whom he maintains work smoothly
together, of their powers to regulate security among insurers. The bill's
sponsors, Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del.,
conceded the measure could be improved and promised they'll work with
members to strengthen the legislation before it reaches the House floor.

The most contentious part of the legislation would usurp laws in 12 states
that require businesses operating in their jurisdiction to adopt specific
IT security measures. An association of states' attorneys general have
objected to that provision. Massachusetts Assistant Attorney General Sara
Cable, testifying before Congress earlier this year, argued that preempting
state laws "represents a significant retraction of existing protections for
consumers at a time when such protections are imperative (see *Barriers to
a Breach Notification Law
<http://www.govinfosecurity.com/blogs/barriers-to-breach-notification-law-p-1830>*).
Minimum data security standards are important and necessary, but the
proposed standards leave consumers' data vulnerable."
Amendment Defeated

The AGs' reservations about the bill prompted the committee's ranking
member, Democrat Maxine Waters of California, to offer an amendment to
allow states to provide more stringent security requirements. The panel
defeated the amendment on a voice vote.

Carney said a number of experts who reviewed the bill agree that only
Massachusetts among the dozen states had stronger data security provisions
than those offered in the Data Security Act.

Neugebauer said the Data Security Act is aimed to prevent what Waters
seeks: different security laws in different states. "The problem is if you
start this down-the-road of one-upmanship where now everybody raises their
standard ... then we're back where we started from and basically inhibiting
the ability to have a national standard and not to impact commerce in a
negative way," he said. "That's the beauty and the reason the Founders put
the Commerce Clause in there. There are certain things that we need unified
between these 50 states."
Enforcement

The Data Security Act is written to allow businesses in different sectors
to adapt security measures to fit their specific businesses. Indeed,
regulatory enforcement would be scattered among various agencies including
the Federal Trade Commission, the Comptroller of the Currency, the Federal
Reserve System, the Federal Deposit Insurance Corp., the National Credit
Union Administration, the Securities and Exchange Commission, the Commodity
Futures Trading Commission, the Office of Federal Housing Enterprise
Oversight and state insurance authorities.

Entities covered by the Health Insurance Portability and Accountability Act
and the Health Information Technology for Economic and Clinical Health Act
- HIPAA and HITECH, respectively - would be exempt from the Data Security
Act provisions.

Bankers generally favor the Data Security Act because it's modeled on
existing laws applicable to the smallest credit unions and largest
banks, Steven
Zeisel
<http://thehill.com/blogs/congress-blog/economy-budget/262161-protection-against-cyber-grinches>,
executive vice president of the Consumer Bankers Association, wrote in an
article published on TheHill.com. Zeisel contends the bill would apply
security standards that are proportional to the type of information the
business holds. "If a company is collecting your information to aid quicker
check-outs or marketing, it should be held to a higher standard than one
that is not," he says.
Retailers Voice Opposition

But that existing model that works for banks won't necessarily transfer to
other businesses and would prove burdensome, Jennifer Safavian, an
executive vice president at the Retail Industry Leaders Association, a
trade group, says in a Dec. 8 letter sent to the committee's leaders. One
provision she cites would require employees who touch sensitive account
information, defined as a credit or debit card, to first pass a criminal
background check.

"Haphazardly slapping rules that were written 15 years ago for the
financial industry on retailers, restaurants and thousands of small
businesses is not the kind of data security legislation that will safeguard
our economy," Safavian says. "This is red tape masquerading as security."

The bill also specifically identifies security controls organizations
should adopt, including those involving access controls and restrictions,
use of encryption of sensitive information and monitoring systems.
"Permanently codifying new standards will hinder efforts by retailers and
other industries to adapt to an evolving threat landscape," Safavian says.

Privacy advocates and consumer protection groups
<http://www.consumerwatchdog.org/resources/ltropposinghr2205120715.pdf>
contend the legislation would weaken consumer protections. In a Dec. 7
letter to the committee's leaders, a collection of 17 privacy and consumer
protection groups wrote that the Data Security Act would squelch new and
developing state laws that extend data security and breach notification
protections to online account login information, including email accounts
and cloud photo storage. The letter also says the legislation would
eliminate virtually all avenues of redress for consumers. "If this bill
were to pass, state attorneys general would be limited to seeking civil
penalties and injunctive relief, even in cases where consumers suffer
extensive harm as a result of a breach of highly sensitive information,"
the letter says. "This would provide harmed consumers with no relief."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!