Congress looks to pass data breach law

WASHINGTON - The U.S. Congress will look to pass consumer data protection legislation as it returns next week from its mid-year recess, but if Congress fails to act, a tough new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

A New York data breach law, signed by Governor George Pataki on Aug. 10, would take effect in mid-December. New York, the 19th state to pass a data breach notification law, would allow no exceptions for companies that have their own disclosure policies.

The New York law requires companies to disclose any unauthorized breach of databases that contain New York residents' personal information such as Social Security, drivers' license and credit card numbers, with a limited exception for some encrypted data. The New York law makes no exception for small data breaches or breaches unlikely to result in identity theft, despite concerns raised by groups such as the Information Technology Association of America (ITAA) that customers could be bombarded with too much notification in cases where there's little chance of harm.

Congress and about 35 state legislatures have considered data breach notification laws this year as more than 60 companies, complying with a 2003 California law, announced breaches affecting millions of U.S. residents this year. Although the California law requires that companies notify only California residents, it has become the de facto national standard, with companies sending out notices to all customers.

The New York law would replace the California breach notification law, which includes some notification exceptions, as national standard if Congress doesn't pass its own bill preempting state legislation, said Dan Burton, vice president of government affairs for Entrust Inc., a security software vendor. "If you're breached, you've got to notify," Burton said of the New York law.

Even data brokers have called for a national breach notification law to preempt what the ITAA and others call a "patchwork" of state laws, and a data breach bill is likely to be one of the top technology-related bills in Congress during the rest of 2005. While some industry groups have advocated a preemptive breach notification bill with few other regulations, consumer and privacy groups have called for sweeping ID theft protections.

With the 19 state laws already passed and Congress focusing on the issue, even enterprise customers normally opposed to regulations recognize that a national law is likely, said Kevin Brown, vice president of marketing for Decru Inc., a storage security vendor. "In today's legislative environment, I don't think you're going to get a bill that just cancels the state laws," Brown said. "They'd love to have less regulation in general, but in this case, I think everybody's fairly realistic. What enterprises are looking for is guidance."

Privacy advocates such as the Electronic Privacy Information Center and the Center for Democracy and Technology have called for Congress to regulate data brokers that sell personal data without the owners' knowledge. The owners of that data have a right to know how data brokers are profiting from their information, those groups have argued.

Several issues complicate the prospect of a bill passing. With congressional elections this November, Congress will be in a hurry to wrap up its work in October and get out on the campaign trail. Other issues, including a response to Hurricane Katrina and several appropriations bills, will demand congressional attention, as will a second tech-related issue: freeing up wireless spectrum after a transition to digital television.

In addition, Congress is hardly united on the path to take on breach notification. After the series of high-profile breaches earlier this year, many in Congress rushed to respond. Burton counted nine data breach bills introduced this year, and three Senate committees began putting together their version of data breach notification bills.

Some of the bills, including one moving through the Senate Judiciary Committee, go beyond breach notification. The Judiciary bill, sponsored by Pennsylvania Republican Arlen Specter, would allow consumers to ask data brokers for a report on what personal data they hold. The Specter bill would also limit the commercial sale of Social Security numbers, and set rules for the government use of personal data.

One high-ranking Senate staffer working on another bill called the sale of Social Security numbers a "different issue entirely" that could distract from the passage of a breach notification bill. "We don't want to get into an omnibus privacy bill," the staffer said. "That may not be legislatively feasible."

Beyond a continuing debate about the ground a data breach notification bill should cover, disagreements continue over what should trigger notification. ITAA and other industry groups have pushed for Congress to require notification only when it's likely that the breach resulted in the compromise of personal data. Consumers could otherwise get flooded with notifications and ignore the important warnings, said Greg Garcia, vice president of information security at ITAA.

Some bills would make no notification exemption for encrypted data, but companies would then have little incentive to protect personal data by encrypting it, Garcia said. "We thought, what is the purpose of that -- notify early and often?" he said. "There ought to be a fairly reliable risk-based test to the extent that information that has been breached is likely to be exploited."

But Entrust's Burton questioned how Congress could define a breach that's likely to be exploited, leaving interpretation to the breached company. Instead, an easier route is for Congress to require notification of any breach beyond breaches involving encrypted data, he said. "The standards that most of the states have -- any unauthorized access -- is probably the right standard," he said.

While Congress seems to be headed to a breach notification law sooner or later, some groups question whether such a law would actually benefit consumers. In most cases of credit card fraud, customers are responsible for US$50 or less, noted Tom Lenard, research director of the Progress and Freedom Foundation, a conservative think tank. In the end, the cost of a breach notification law to companies, which pass their costs on to consumers, may be larger than the benefit, he said.

Instead of a law, Congress should look to industry to manage the problem and cut its losses due to data theft, he said. "Even in the best of circumstances, the cost/benefit analysis doesn't work out all that favorably," he said. "There are lots of incentives for businesses to solve this problem themselves."

Other technology issues

Beyond data breach notification, a handful of other technology-related issues have surfaced in Congress this year:

-- Digital TV transition: Congress seems poised to set a firm date for U.S. television stations to abandon analog signals in the 700 MHz radio spectrum band. Technology companies are asking Congress to set a firm date after nearly two decades of debate, because that chunk of spectrum could be used for a variety of wireless technologies.

Several concerns remain, including what would happen to the millions of U.S. TV sets still receiving over-the-air analog signals. But lawmakers want to move a bill forward, partly because spectrum auctions could bring billions of dollars to the federal budget.

-- Spyware: An antispyware bill passed through the House of Representatives in May, but the bill seems to be stalled in the Senate. Some critics have said the bill is overly broad, and technology vendors should be given more of a chance to deal with the problem.

-- Telecommunications reform: Several lawmakers have pushed for telecom reform, with some advocating a wide-ranging rewrite of the Telecommunications Act of 1996, and others pushing for Congress to crave out exemptions to traditional telecom relations for VOIP (voice over Internet Protocol). It appears, however, that telecom reform will take a back seat to other issues until 2006.