Article

Federal breach notification stuck in Congress

Zach Church, News Writer
The cornucopia of state data breach notification laws -- only eight states are without notification requirements -- makes for a confusing process.

CIOs prepping a notification in the wake of a breach of personal information must comply with the law for each state in which a customer lives. That could potentially mean following the small details in at least 43 different laws (the District of Columbia has also passed legislation).

Yet federal lawmakers have yet to pass a similar law, though not for lack of trying.

Currently, Congress has its hands on no fewer than nine different bills that would set notification procedures of some sort. Three of those are specific to federal agencies and would not affect private businesses.

But the other six would. And from a response perspective, that could be a good thing.

    Requires Free Membership to View

More on data breaches
CIOs under fire and in front of the camera

Pre-emptive strategy best approach to breach notification
"These federal bills, almost all of them, would pre-empt the state ones," said Tanya Forsheit, a partner at Proskauer Rose LLP in Los Angeles.

"A federal omnibus data protection law would obviously impose uniformity and greatly simplify the issue of when notice has to be provided and under what circumstances," said Forsheit, who specializes in privacy and data security compliance law.

That could be especially beneficial to midmarket IT departments, which work with smaller staffs and may not have legal counsel on hand in the company.

Forsheit singled out two Senate bills as having the most traction right now. S. 495, known as the Personal Data Privacy and Security Act of 2007, is sponsored by Sen. Patrick Leahy, D-Vt., but is given equal support by Pennsylvania Republican Sen. Arlen Specter.

S. 239, known as the Notification of Risk to Personal Data Act of 2007, is sponsored by Sen. Dianne Feinstein, D-Calif. The bill made it through the Senate Judiciary Committee last year and has been untouched since then.

The elements of state security breach notification laws

Companies that lose personal data are required to follow the law set by the state in which the data's owner lives. Here are some idiosyncrasies to watch out for:

Definition of "personal information": Most laws define this as part of a name combined with a credit card number, Social Security number or other identifying digits.

Breach procedures: Pay attention to how quickly notification must be made and exactly what information a letter or call must include.

Exemptions: Many states exempt companies already beholden to the notification guidelines in the Health Insurance Portability and Accountability or Gramm-Leach-Bliley acts. Some states also allow an out if the compromised data is properly encrypted.

"Likelihood of harm": Some states don't require notification if it's unlikely any fraud or identify theft will be committed using the lost information.

Delays: Most states allow a delay in notification if law enforcement authorities request one to complete an investigation.

Safeguards: A handful of the state laws also require security measurements before a breach. In Texas, for example, personal information must be disposed of by "shredding, erasing or otherwise modifying the sensitive personal information in the records to make the information unreadable or undecipherable through any means."

"There hasn't been any action on most of these for a very long time," Forsheit said. "Most of the bills have been languishing for almost a year, or in some cases, a year now."

Many of the bills are simply updated versions of legislation that stalled in Congress in previous sessions.

Leahy's bill, too, has been in limbo since last May, when it was reported out of the judiciary committee and placed on the Senate calendar. Along with Feinstein's bill, it now awaits scheduling for floor discussion by Senate Majority Leader Harry Reid, D-Nev.

But neither bill has received that shot at moving forward, despite a recent push from Leahy and Specter to bring their bill to fruition.

On March 25, the two senators revived their calls for a law, citing the news that state department employees had snooped into the passport records of the three major presidential candidates. That was just one of their examples.

"This week, front-page headlines have delivered news about the theft last month of personal information from the National Institutes of Health," the Senators wrote in a March 25 letter to Reid and Mitch McConnell, the leading Senate Republican, of Kentucky.

"Earlier reports have involved virtually every department of the federal government," they wrote.

The two argued their bill would "provide protections for consumers, including a timely notification of data security breaches." The bill would also require government contractors to properly safeguard personal information, the senators wrote.

Senator Barack Obama, D-Ill., became a cosigner of the bill on April 1. The bill was introduced in early 2007.

S. 495 would require consumer notification "without unreasonable delay" if "sensitive, personally identifiable information" is lost, stolen or otherwise viewed.

That is defined as a person's first and last name, or first initial and last name, combined with a complete Social Security number, driver's license number, passport number or alien registration number. Financial account and credit card numbers, combined with a security code or password also qualify. There are also provisions for certain combinations of names and addresses, telephone numbers, birthdays and a mother's maiden name. Finally, data like fingerprints and iris images also apply.

Reasonable delay is defined as time required to determine how large the breach was and prevent a further breach. A delay is also acceptable with the OK of federal law enforcement agents.

Exemption from notification is also allowed if the information is encrypted in such a way that creates "no significant risk" in harm.

The bill allows for notification by mail, phone or email. Media notice is required if more than 5,000 people could be affected in a particular state. The notification must include a description of what information has been taken and toll-free numbers to contact the business and credit reporting agencies. It allows for states to require the business to provide information about victim protection assistance.

Most of the
bills have been languishing
for almost a year, or in
some cases,
a year now.

Tanya Forsheit
attorneyProskauer Rose LLP
Credit reporting companies would also need to be notified if more than 5,000 people could be affected -- an increase from 1,000 in a previous draft of the bill. Law enforcement notifications are also required in certain circumstances.

Feinstein's bill closely mirrors S. 495. It does not, however, include the Leahy bill's requirements for businesses to establish a "data privacy and security program."

Forsheit said there is some talk from consumer groups looking for a law that would require notification in the event of any data breach, though most of the bills have requirements like the encryption exemption.

But otherwise, she said she sees no major sticking point or debate that is holding the bills back. Breach notification does not appear to be a partisan issue, as evidenced by the dual support from Leahy and Specter.

Forsheit's best guess for the lack of movement? Congress has other issues to deal with.

Let us know what you think about the story; email: Zach Church, News Writer


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: