Data breach bill leaves lots of wiggle room

The hand of government is not all that heavy on businesses when it comes to notification requirements about data breaches that affect personal information. And it looks like it won't get much heavier, even if a bill sponsored by U.S. Sen. Pat Toomey (R-Pa.) and four other Republican senators become law. It could even be a bit lighter.

While the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) require notification of health information breaches within 60 days, the pending bill doesn't even specify a deadline.

But the Data Security and Breach Notification Act of 2012, introduced last Thursday by Toomey and Sens. Olympia Snowe (Maine), Jim DeMint (S.C.), Roy Blunt (Mo.) and Dean Heller (Nev.), would set a national standard for data breach notification. That would trump a system in which 46 states, Washington, D.C., Puerto Rico and the Virgin Islands all have different laws.

And that much alone makes it a good thing, according to several security experts. Mark Baldwin, principal researcher and consultant at InfosecStuff, said: "It will eliminate the current patchwork of state laws that businesses must comply with concerning data disclosure, which will make compliance easier for most businesses."

"And consumers will also benefit, as they will be notified of a data breach that could impact them, regardless of the state where they live," he said.

James Arlen, senior consultant with Taos, said he believes, a national, or even global, standard is "absolutely" required. "A hodge-podge of state level regulations makes adherence difficult and provides too much leeway for 'malicious interpretation," he said. "Without a reasonable standard for notification, it becomes possible for corporations to hide malfeasance. That's simply not OK."

Randy Sabett, an attorney and information security/privacy specialist with ZwillGen, said other good things about the bill are that it sets maximum damages ($500,000) and sets a standard for what is considered a breach -- unauthorized access plus acquisition. "Those are good for business," he said.

But James Arlen is less enthused about the specifics in the bill regarding the protection of data and the lack of a specific deadline for notification.

The bill requires companies to take "reasonable measures" to protect data. It says that if data is, "encrypted, redacted, or secured by any other method or technology that renders the data elements unusable," then even if that data were stolen, it would not be considered a breach.

"While that is good for the law, it is not good from an implementation point of view due largely to the abject failure of organizations to correctly encrypt or redact," Arlen said. "You can see it in every PDF with black boxes added over the unaltered lower layer."

The language saying data is exempt if it is rendered "unusable" is likely an impossible standard, since there is almost no encryption that could absolutely make that guarantee. But there is plenty of room between that and outdated encryption, such as that being used by the professional social networking site LinkedIn before the recent breach of about 6.5 million member passwords.

"I'd suggest that there be some regulation around what is acceptable for encryption," Arlen said. "And that the decision on [whether a company was doing it should] be at the behest of the FTC, not by the corporation that screwed up. "

And Sabett acknowledges that there is plenty of room for interpretation of "reasonable measures."

There is also the matter of how timely those notifications have to be. Anne Salta of Threatpost took note last week that the University of Texas MD Anderson Cancer Center took almost two months to start notifying about 30,000 patients that their personal data, including, "names, medical record numbers, treatment and/or research information, and, in some instances, Social Security numbers," were compromised when an unencrypted laptop was stolen from a physician.

But the center was in compliance -- it had met the 60-day deadline imposed by HIPAA. The Toomey bill doesn't even impose that much. It simply says that notification of a security breach "shall be made as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached."

James Arlen says that leaves too much wiggle room. "Not only does the 60 days provide time for criminals to do what they want with the information, it provides the company with time to manage the incident," he said.

He agrees with exceptions in the law if notification could compromise national security or law enforcement. But other than that, "there is no reason to delay notification beyond perhaps five business days. If you can notify your customers that they are one day late with their payment, you can notify them promptly that you've screwed up."

Dan Berger, president and CEO of Redspin, said while an investigative period is often necessary just to determine which individuals should be notified, "60 days is way too long. If the breach has resulted from unethical hackers or malicious insiders, the stolen data will generally be exploited fairly quickly after its theft."

Sabett disagrees, saying the problem with a hard deadline is that every case is unique. "You may not even know that you've had a breach after 60 days," he said.

But he added he believes there is a bigger issue at play. This bill, he notes, is one of dozens regarding cybersecurity that have been floated in the last several years, and it is too narrow. "We really need more than just data breach notification and reasonable security measures," he said.

Sabett points to a White House proposal from May 2011 that called for legislation covering other critical issues like penalties for computer criminals, voluntary information sharing, protection of critical infrastructure, intrusion prevention and privacy.

"We might not be able to include them all, but we should try to include more than one or two," he said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts