Rancor over federal bill requiring companies tell customers about hackings

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fortune.com/2015/04/15/security-bill-breach-notifications/


A new cyber security bill that would require companies that gather personal
data to notify their customers within 30 days of any data breach took one
step closer to becoming law Wednesday when the House Energy and Commerce
Committee approved a draft of the legislation. However, the proposed bill
might ironically lead to weaker security standards, according to some
privacy advocates and consumer groups.

There’s no doubt that information security is a hot topic now with
companies like Sony Pictures Entertainment  SNE -1.98%  and JPMorgan  JPM
-0.33%  reeling from recent data breaches. The new bill, dubbed the Data
Security and Breach Notification Act, is intended to address this problem
by ensuring that consumers are told when a data breach occurs, echoing
comments by President Obama in January.

But because the bill imposes a single national standard on businesses that
collect customer data, privacy advocates are worried that existing state
laws requiring notification will be thrown to the wayside as companies
switch to any new federal regulations.

On Tuesday, six California privacy and consumer groups urged the House
Energy and Commerce Committee to oppose the bill by citing California’s
existing data-breach notification law from 2003 that they say is among the
strongest in the country. Clearly, their argument failed to persuade the
committee members, who passed the bill by a vote of 29 to 20.

Part of the problem with the new bill, according to consumer advocates, is
language that says businesses won’t have to disclose breaches to customers
if they discover that “there is no reasonable risk of identity theft,
economic loss, economic harm, or financial fraud.”

This could provide companies with an excuse to decide against disclosing
breaches that they unilaterally deem financially insignificant to their
business. Indeed, many companies that have been hacked haven’t had their
finances and bottom line impacted much at all.

Laura Moy, a senior policy counsel at the Open Technology Institute, a part
of the New America Foundation public policy think tank, reportedly told the
Washington Post in response to the bill that the federal bill essentially
weakens breach-notification standards for some states with tougher laws.

For example, companies operating under stringent state breach-notification
laws are required to tell consumers when their information was compromised,
regardless of any financial implication. This type of data covered might
include “things like order histories for cable or satellite video on demand
services,” Moy said. Although there’s no real financial harm caused on the
consumer if the information were to leak, the data could “reveal
potentially sensitive personal information, like sexual preferences,” she
added.

Additionally, the new bill has its share of Congressional critics including
some Democrats who believe that the bill is moving too fast.

“All of these things need a lot of time and work … I would like to see the
process slowed down,” said Congressman Frank Pallone, according to The Hill.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!