Breach Bill: Adverse Impact on Privacy?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/breach-bill-adverse-impact-on-privacy-p-1829

A compelling argument for a national data breach notification law is that
businesses would need to comply with only one set of standards, a point
made by President Obama on Jan. 12 in remarks delivered at the Federal
Trade Commission:

"Right now, almost every state has a different law on this, and it's
confusing for consumers and it's confusing for companies - and it's costly,
too, to have to comply to this patchwork of laws."

Businesses don't like the fact they must comply with 47 different state
notification laws and, on the surface, enacting a federal statute to
pre-empt state laws makes sense. But would simplifying data breach
reporting justify the loss ofprivacy protections a handful of states
provide citizens if a single national law is enacted? A national statute,
as proposed in draft legislation, wouldn't just standardize when consumers
and authorities would be notified of a breach; it would also usurp other
security measures aimed at safeguarding citizens' personally identifiable
information that some states provide.

Take, for instance, Massachusetts, which in 2010 enacted one of the most
stringent IT security requirements any government has imposed on
businesses. The commonwealth requires businesses and other organizations to
take a number of proactive steps to secure personally identifiable
information on any state residents.

The draft federal legislation to be considered at a March 18 hearing of the
House Energy and Commerce Committee would pre-empt the Massachusetts
Regulations should it become law (see Seeking Compromise on Data Breach
Notice Bill).

Vocal Opposition

Massachusetts Assistant Attorney General Sara Cable will tell lawmakers at
the hearing that the state objects to a national law that would eliminate
privacy protections the state has granted its citizens.

"Ensuring the security and privacy of Massachusetts residents' personal and
financial information is a priority of our office," says Jillian Fennimore,
the AG's deputy press secretary. "We strongly oppose any legislation that
undermines the protections now afforded to consumers in our state."

Massachusetts demands a lot from those holding personal information about
its citizens. Its regulations require each organization to implement a
written comprehensive information security program to protect citizens'
PII, and to designate at least one employee to maintain the program.

The Massachusetts rules are quite prescriptive. For example, they require
businesses to block access to user identification after multiple
unsuccessful attempts to gain access, and they require the encryption of
all transmitted records and files containing PII that travel across public
networks or are sent wirelessly.

When TD Bank agreed to pay $625,000 in a settlement last year after a
breach, then-Massachusetts Attorney General Martha Coakley pointed out that
the fine didn't just cover the failure to provide timely notification to
consumers and authorities but for also failing to properly secure PII:
"Businesses are required to secure the sensitive information that consumers
entrust to them, and cannot subject consumers to unnecessary risk by
failing to provide prompt notice when that information is compromised or
lost."

Less Stringent Legislation

By contrast, the federal draft breach notification legislation to be
considered at the House hearing isn't explicit on how businesses and other
organization should ensure data security. The section of the measure titled
"Requirements for Information Security" is a mere 43 words in length, and
states:

"A covered entity shall implement and maintain reasonable security measures
and practices to protect and secure personal information in electronic form
against unauthorized access as appropriate for the size and complexity of
such covered entity and the nature and scope of its activities."

A federal law would give businesses far more leeway than does the
Massachusetts regulation in deciding how best to secure the privacy of the
data they store. That approach would find favor among the majority in
Congress who have a distaste for government regulation and believe
businesses - not government - know best how to secure their IT.

But doesn't Massachusetts have a right to decide how best to protect its
citizenry? Couldn't Congress find a compromise, where it standardizes how
businesses notify consumers and authorities of data breaches but allows
each state to decide how their citizens' personal data should be
safeguarded?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!