Congress looks to pass data breach law

Tough New York law will take effect in December

Several issues complicate the prospect of a bill passing. With congressional elections this November, Congress will be in a hurry to wrap up its work in October and get out on the campaign trail. Other issues, including a response to Hurricane Katrina and several appropriations bills, will demand congressional attention, as will a second tech-related issue: freeing up wireless spectrum after a transition to digital television.

In addition, Congress is hardly united on the path to take on breach notification. After the series of high-profile breaches earlier this year, many in Congress rushed to respond. Burton counted nine data breach bills introduced this year, and three Senate committees began putting together their version of data breach notification bills.

Some of the bills, including one moving through the Senate Judiciary Committee, go beyond breach notification. The Judiciary bill, sponsored by Pennsylvania Republican Arlen Specter, would allow consumers to ask data brokers for a report on what personal data they hold. The Specter bill would also limit the commercial sale of Social Security numbers, and set rules for the government use of personal data.

One high-ranking Senate staffer working on another bill called the sale of Social Security numbers a "different issue entirely" that could distract from the passage of a breach notification bill. "We don't want to get into an omnibus privacy bill," the staffer said. "That may not be legislatively feasible."

Beyond a continuing debate about the ground a data breach notification bill should cover, disagreements continue over what should trigger notification. ITAA and other industry groups have pushed for Congress to require notification only when it's likely that the breach resulted in the compromise of personal data. Consumers could otherwise get flooded with notifications and ignore the important warnings, said Greg Garcia, vice president of information security at ITAA.

Some bills would make no notification exemption for encrypted data, but companies would then have little incentive to protect personal data by encrypting it, Garcia said. "We thought, what is the purpose of that -- notify early and often?" he said. "There ought to be a fairly reliable risk-based test to the extent that information that has been breached is likely to be exploited."

But Entrust's Burton questioned how Congress could define a breach that's likely to be exploited, leaving interpretation to the breached company. Instead, an easier route is for Congress to require notification of any breach beyond breaches involving encrypted data, he said. "The standards that most of the states have -- any unauthorized access -- is probably the right standard," he said.

While Congress seems to be headed to a breach notification law sooner or later, some groups question whether such a law would actually benefit consumers. In most cases of credit card fraud, customers are responsible for US$50 or less, noted Tom Lenard, research director of the Progress and Freedom Foundation, a conservative think tank. In the end, the cost of a breach notification law to companies, which pass their costs on to consumers, may be larger than the benefit, he said.

Instead of a law, Congress should look to industry to manage the problem and cut its losses due to data theft, he said. "Even in the best of circumstances, the cost/benefit analysis doesn't work out all that favorably," he said. "There are lots of incentives for businesses to solve this problem themselves."