Data Breaches Bring Back Failed Legislation From the Dead

Sen. Leahy and Rep. Bono Mack are pushing separate bills that would punish slow disclosure of data breaches. Versions of both bills failed earlier.

By John Adams

Public fallout from the data breaches that have affected Citigroup and other large enterprises in and out of finance in recent weeks has reached the political push back stage, with both Sen. Patrick Leahy (D-Vt.) and Rep. Mary Bono Mack (R-Calif.) hoping the events will breathe new life into data protection legislation that’s failed in the past.

Sen. Leahy has introduced the Personal Data Privacy and Security Act of 2011—co-sponsored by Sen. Charles Schumer (D-N.Y.) and Ben Cardin (D-Md.). It follows similar bills that failed to advance in the Senate in 2005, 2007 and 2009. In 2009, the bill passed the Senate Judiciary Committee, but faced industry opposition and did not reach a vote in the full Senate.

The new bill would introduce federal criminal charges against enterprises that don’t disclose breaches in a timely manner. It would also require certain brokers to disclose the personal data records that they share with third parties, as well as disclose how inaccuracies in databases are corrected.

Leahy did not respond to request for comment by Tuesday morning. The Senator’s office did say that the act contains a similar standard to the Obama Administration’s May 12 cyber security proposal. That proposal advocated the development of a national data breach reporting system.
The Senator’s office also said the requirements under his act would require, under threat of fine or imprisonment, businesses and agencies to notify affected individuals by mail, telephone or email of a security breach “without unreasonable delay” (though the exact deadline desired by the Senator was not disclosed). Media notices would be required for breaches involving 5,000 or more people.  And the FBI and Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of 1,000,000 or more people, or impacts federal databases or law enforcement.

In the House, Rep. Bono Mack’s bill would require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach. The bill’s based on a piece of legislation called the Secure and Fortify (SAFE) Data Act, which passed the House during the last Congress, but did not advance in the Senate. The Bono Mack bill also contains data security requirements that would not apply to firms subject to the Gramm-Leach-Bliley Act or HIPAA, which would excuse many financial institutions and healthcare firms from that part of the bill.

Rep. Bono Mack’s office did not return requests seeking comment by Tuesday morning, and the Financial Services Roundtable, which opposed Leahy’s past attempts at passing a similar bill, declined comment on his new legislation.  On Tuesday, Leigh Williams, president of BITS, the tech arm of the Financial Services Roundtable, testified before the Senate Committee on Banking, Housing and Urban Affairs, expressing support for the Obama Administration’s cyber security proposal, which would require a national standard for breach notification.

Judith Hurwitz, president of Hurwitz and Associates, a technology consultancy, says that while consumers already have liability protections against data theft, there are other dangers from data breaches that could be mitigated by extra protection.

“It’s not just a compromise of a specific payment, it compromises someone’s identity,” she says.
Banks frequently come under fire for not immediately disclosing data breaches. In the case of the recent Citigroup breach, the bank responded to criticisms of such a delay (the breach was publicly disclosed a couple of weeks after it was discovered) by saying the compromised accounts were flagged for protection immediately minimizing actual exposure.

“While [a disclosure law] may not technically make a huge difference in terms of [actual loss exposure], it increases pressure on entities to not assume that they can fix a problem and ‘nobody has to know,’” Hurwitz says.

Source: http://www.americanbanker.com