Federal Data Breach Notification Proposal Fails to Satisfy All Interests

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.eweek.com/c/a/Security/Federal-Data-Breach-Notification-Proposal-Fails-to-Satisfy-all-Interests-567286/

The proposed federal data breach notification law defines how
organizations should notify customers in case of a breach. But critics
can’t agree on whether the bill goes far enough.

Rate This Article:
Poor           Best
The proposed federal data breach notification law will simultaneously
simplify and complicate things for organizations in the wake of a
security breach, experts said.

The White House outlined the data breach notification law within the
broad cyber-security proposal that was sent to Congress May 12. If
passed as is, the law would trump existing state notification laws
currently in place in 46 states, the District of Columbia, Puerto Rico
and the Virgin Islands. The Federal Trade Commission would be
responsible for enforcing the law along with state attorneys general.
Civil penalties for violations could total $1 million.

While there are good and bad things about the proposed bill, there is
a “net good” because it means there is only one law to follow in case
of a data breach, said David McIntosh, a partner in the intellectual
property group and corporate department at the law firm of Ropes &
Gray. One of the difficulties organizations face after having data
exposed or stolen has always been figuring out an appropriate response
that complies with various state notification laws.

“One of the joys of the federal bill is standardization. One of the
sorrows is that it’s not complete standardization,” McIntosh said.

Organizations will no longer have to negotiate “a patchwork of 47
state laws” after a data breach, the Obama administration said in its
proposal. However, the bill did make allowances for states to define
additional actions on top of the federal requirements the organization
would have to follow.

If a state decides it wants organizations to include information about
credit freezes or some local service to be included in the notice that
is sent to the affected victims, it can enact such a provision,
according to McIntosh. The organization is back to having to come up
with a different version of the notification to meet that particular
state’s requirements, McIntosh said. But it will still be an
improvement over the current system, McIntosh said.

However, the bill changes the rules a little bit and not necessarily
in a positive way. The proposed federal law defines personal
identifying information much broader than how state laws have
traditionally defined them and makes it “more complicated,” according
to McIntosh. Most state notification laws are “triggered” when the
data breach includes “name and a number,” or the stolen data includes
the person’s first name, last name and some kind of a
government-issued identification number, such as a Social Security
number or a driver’s license number, McIntosh said.

The proposed bill has broadened the scope of “sensitive personally
identifiable information” significantly, McIntosh said. The proposed
bill includes not only “unique biometric data” such as a fingerprint,
voice print, or a retina or iris image in its definition of PII
(personally identifiable information), but it also includes “any other
unique physical representation.”

“What does that mean? Is that a photo?” McIntosh asked. He said it
isn’t clear from the language whether the bill would include
photographs of people as part of PII.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/