Data breach notification could benefit from federal action

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.businessinsurance.com/article/20120101/NEWS07/301019997

There is growing consensus that federal legislation is needed to
address the 47 different state approaches to data breach notification,
but passage of a comprehensive federal bill is less than certain,
experts say.

Many say a polarized Congress may find itself unable to take decisive
action, particularly given that this is an election year. As a result,
many observers are, at best, cautiously optimistic.

According to one estimate, 30 to 40 pieces of cyber risk legislation
already have been proposed in Congress. Observers say a uniform
federal law governing notification of data beaches would be welcome,
but it should pre-empt related state laws if it is going to be
successful.

For instance, the Senate Judiciary Committee last year approved three
Democrat-backed data breach bills.

On the related issue of security, a House Republican task force last
year said Congress should give companies incentives to boost their
cyber defenses, but also said that tough regulation may be warranted
for potentially critical facilities such as power and water plants.

However, “In an election year, a lot of things don't get done with a
stalemated Congress,” said John F. Mullen, an attorney with Nelson
Levine de Luca & Horst L.L.C. in Blue Bell, Pa. “I just question”
whether there will be movement “unless it's to someone's benefit that
it does happen.”

Shawn Edward Tuma, a partner with BrittonTuma P.L.L.C. in Plano,
Texas, said, “I believe that before the end of 2012, there's a pretty
good chance we will be getting legislation that helps,” although “I
don't know if it'll go all the way toward what a lot of people are
seeking.”

“It's a difficult climate to pass legislation, but if one thing can
make it through, it will be a cyber security bill.” said Jacob Alcott,
a principal at Alexandria, Va.-based Good Harbor Consulting and former
counsel to the Senate Committee on Commerce, Science, and
Transportation.

Harley Geiger, policy counsel at the Washington-based Center for
Democracy & Technology, said any action on data breaches “likely
depends on Congress' other priorities, and that is going to depend in
part on domestic events.”

During the past couple of years, “we've seen data breaches rise in
frequency and in cost to business and consumers. There's no reason to
expect that won't happen again in 2012,” although it may be
“overshadowed by other events,” Mr. Geiger said.

Celeste King, a founding partner with Walker Wilcox Matousek L.L.P. in
Chicago, said there is a greater likelihood this year than previous
years that legislation would be passed, “which isn't the same as
saying it will happen.”

Still, members of Congress “all seem relatively on the same page” in
terms of being interested in doing something, and this is “probably
one of the lesser controversial things” before them, she said.

Robert Dix, Washington-based vp of government affairs and critical
infrastructure protection for technology company Juniper Networks
Inc., said, “I think that there are some opportunities right now.”
Data breaches have “been a topic that we've been kicking around for
quite a few years, and I think there are some opportunities to come to
some bipartisan agreement on some chewable bits around this topic, and
not try to load up the Christmas tree with all kinds of arrangements.”

Beth Diamond, New York-based focus group leader for technology, media
and business services for Beazley Group P.L.C., said the prospect that
federal legislation will pass is very good. She said she believes
there is strong bipartisan support for a federal cyber security law,
and many versions of potential legislation are pending in Congress.

“I think what's been missing is somebody really showing some
leadership,” Ms. Diamond said. “What we've seen in the past last few
weeks is that Senate Majority Leader Harry Reid, D-Nev., is looking to
break that gridlock and get some movement.” When Congress returns this
month from its recess, “I think you're going to see some real
movement,” she said.

In a Nov. 17 letter to Senate Minority Leader Mitch McConnell, R-Ky.,
Sen. Reid said, “Given the magnitude of the threat and the gaps in the
government's ability to respond, we cannot afford to delay action” on
critical legislation related to cyber security.

“For that reason, it is my intent to bring comprehensive cyber
security legislation to the Senate floor for consideration during the
first Senate work period” in 2012. “It is my firm hope that the
working groups will be able to achieve an agreement on legislation by
then, but I believe the cyber threat to be of such urgency that we
must act whether or not such agreement can be reached.”

However, Lori S. Nugent, a partner with law firm Wilson Elser
Moskowitz Edelman & Dicker L.L.P. in Chicago, said she does not
believe that federal cyber legislation is necessary.

Federal agencies and state governments “have increased their hiring of
regulators to enforce existing laws that are impacted by data
security,” she said. “I anticipate that in the coming year, more
aggressive regulatory activity will take place and that additional
legislation is not needed to support this activity.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/