Senate Republicans are moving to raise the bar on data-security breach regulations in the United States. Sen. Pat Toomey (R-Pa.) introduced draft legislation known as the Data Security and Breach Notification Act of 2012 on June 21st in hopes to set a national standard for companies and organizations to report data breaches to people who have had their personal information stolen.
When a company or organization’s network or servers are breached, cybercriminals steal loads of sensitive private information including names, credit card numbers, addresses, passwords and in some cases, medical information. The legislation suggests that there needs to be regulation in place for notifying individuals when their information has been stolen. Despite the act’s intention of being a step in the right direction - protecting consumers - the terms and timelines of the reporting processes are criticized as being pretty vague.
The act would also require organizations to "take reasonable measures to protect and secure data in electronic form containing personal information." What exactly is reasonable? The legislation’s critics have accused it of having no backbone. When it comes to details the specifics just aren’t there, leaving far too much room for loopholes.
“This bill is one of dozens regarding cybersecurity that have been floated in the last several years, “said Randy Sabett, an attorney and information security/privacy specialist with ZwillGen, a law firm specializing in technology. “It is too narrow. We really need more than just data breach notification and reasonable security measures," he said.
Until now, the Federal Government has left regulation of data breach reports at the state level. Outside of a few exceptions (Alabama, Kentucky, New Mexico, and South Dakota) most states have policies in place to ensure their residents are notified when their information has been stolen (although some policies are laughable).
This is the system that has created the mess we are in now. “A national, or even global, standard is "absolutely" required. A hodge-podge of state level regulations makes adherence difficult and provides too much leeway for 'malicious interpretation," said James Arlen, senior consultant with IT consulting and services company Taos.
Don’t mess with Texas. As of 2011 Texas has had their ‘act’ together. Under the law, which became effective September 1, 2011, entities experiencing a breach became required to provide notification to both affected residents as well as non-residents (if the non-resident lives in a state without regulation). Penalties were increased for violations to $100 per affected individual (per day of failed or delayed notification) and up to $250,000 for a single breach.
Because states like Texas have such defined laws around this issue, many argue that this new federal regulation would compromise and undermine existing state laws currently providing better protection and flow of information to its citizens. Sounds to me like the Senators have a little more work to do….
Has your company ever had to report a data breach?