New hopes for U.S. data breach law collide with old reality

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.yahoo.com/hopes-u-data-breach-law-collide-old-reality-203326613--sector.html

Data thefts at U.S. retailers have rekindled enthusiasm in Congress for a
single federal law on how customers should be notified about such breaches,
but those efforts face the same roadblock as in the past: dozens of
overlapping state laws already in place.

Congressional hearings and calls for new powers by consumer protection
agencies followed quickly after breaches at retailers Target Corp, Neiman
Marcus and Michaels Companies were revealed.

Several Senate bills that languished in past years have been revived,
spearheaded by powerful Democrats on commerce, judiciary, intelligence and
homeland security committees.

But the new bills are mostly reiterations of old ones that failed to
advance, in some cases repeatedly. And the same hurdles to reaching
agreement in the past remain powerful obstacles, notably the question of
whether or how the federal law would trump, or pre-empt, state regulations.

"Pre-emption is going to be a major part of discussions," Representative
Lee Terry, a Nebraska Republican working on a data security bill in the
House of Representatives, said last week after a hearing on the data
breaches.

The issue tracks a peculiar path in Congress. Privacy concerns cut across
party and ideological lines, sometimes uniting staunch conservatives with
liberals. And efforts involving multiple committees often face slightly
different agendas, with gridlock often the result.

"Tech is very complex policy," said one Senate aide. "It's hard to move
legislation sometimes."

TUG OF WAR

Although federal laws already regulate how specific industries, such as
banks and hospitals, handle compromised data security, certain other kinds
of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws
that tell companies when and how consumers have to be alerted to data
breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella
federal law face a tug of war between companies, consumer advocates and
state authorities.

Large companies working across state lines argue that state laws present a
patchwork of regulations and compliance poses a challenge. Companies often
issue one nationwide notice to consumers with state-specific supplements at
the end.

"Certainly, one standard is easier to follow than 47," John Mulligan,
Target's chief financial officer, told lawmakers at a hearing last week.
The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also
restated its decade-old position in favor of a nationwide standard that
would pre-empt state rules.

"A preemptive federal breach notification law would allow retailers to
focus their resources on complying with one single law and enable consumers
to know their rights regardless of where they live," the lobbying group
wrote to lawmakers.

STATES' ENFORCEMENT POWER

Some state attorney generals worry above all that federal standards would
dilute their power to pursue violators.

Illinois Attorney General Lisa Madigan said last week that states must keep
their ability to enforce. Only under those conditions "it's potentially
reasonable to say 'OK, we're going to pre-empt you,'" Madigan said.

"As long as we still retain the ability to respond to our consumers, and
this is looked at in some ways potentially either as a floor and not a
ceiling, we understand your role."

But charting such a course would be less palatable to powerful industries
and some lawmakers.

"There are 47 state standards, there's no reason to add a 48th," said
Terry, the most prominent Republican leading a legislative effort at this
point.

Consumer advocates say that the companies' call for a single law masks the
goal of having a weaker federal standard that would trump stricter laws on
the books in states like California and Massachusetts.

"None of the federal proposals are as strong as the strongest state laws
and that's wrong," said Edmund Mierzwinski, consumer program director at
U.S. Public Interest Research Group. "I don't think we need (a federal law)
that's weaker than California's."

California was the first state to adopt a data breach law in 2003. After a
decade of fine-tuning, it requires a detailed disclosure to consumers "in
the most expedient time possible and without unreasonable delay" when
personal information, including emails with passwords, is "reasonably
believed" to have been stolen.

Though many state requirements are broadly similar, some states, such as
Montana and Ohio, require notification only if a breach poses or is
believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information
is included. A common definition includes name combined with the Social
Security number, driver's license number or payment card number together
with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data
breach notification laws.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!