The idea of a voluntary breach notification framework came in a passing remark uttered by White House Cybersecurity Coordinator Michael Daniel during an interview I had with him last week at the RSA Conference 2014 in San Francisco (see Michael Daniel Speaks His Mind on Cyberthreats.
To be clear, Daniel stopped short of proposing the government lead an effort to establish a breach notification framework. But he made some intriguing points.
"We can use our convening power, like we have with [the cybersecurity framework], to talk about how we want voluntary standards to be in this space," says Daniel, a special assistant to the president. "There is certain space for us to make some progress in there without necessarily getting all the way to legislation."
Bypassing Congress to address important issues is an approach the administration has taken because of lawmakers' inability to enact legislation. Congress has failed to pass significant IT security reforms in a dozen years. Indeed, President Obama proposed the cybersecurity framework in his 2013 State of the Union Address because of the failure of Congress and the administration to agree on legislation on how best to protect the nation's critical IT infrastructure, which is mostly operated by private businesses.
Seeking Industry's Ideas
In developing the cybersecurity framework, a set of voluntary best practices aimed at securing the IT of the nation's mostly privately operated critical infrastructure, the National Institute of Standards and Technology convened a series of workshops and solicited advice from critical infrastructure operators, IT and IT security providers and other stakeholders on what should be included in the framework (see The Evolving Cybersecurity Framework). The end result was version 1.0 of the cybersecurity framework, which the government issued Feb. 12 (see NIST Releases Cybersecurity Framework).
A large part of the cybersecurity framework consists of processes employed by business. The framework is not a government prescription for IT security but a true collaborative document. NIST eventually will yield leadership of creating updated versions of the cybersecurity framework to the private sector.
Similarly, a notification breach framework could incorporate ideas from the private sector along with local, state and federal governments, as well as other stakeholders, such as educational institutions and not-for-profit organizations.
To spur industry to adopt voluntarily a breach notification framework, Daniel suggests federal agencies could lead the way by adopting it.
Complying with 46 Separate Laws
A big complaint about the current environment is that businesses and other organizations must comply with 46 separate state laws, all with different requirements. A national breach notification law would supersede state laws, making it easier for businesses to comply. But despite administration backing and the introduction of several breach notification bills in Congress (see Holder Calls for National Breach Law and Yet Another Data Breach Bill Introduced), it remains unlikely lawmakers will enact a federal breach notification bill this year (see Why U.S. Breach Notice Bill Won't Pass).
By getting involved in creating a set of breach notification best practices, businesses could shape a process that could help them notify customers, shareholders, law enforcement and other stakeholders in a timely manner.
Of course, a voluntary set of best practices wouldn't necessarily exempt an organization from complying with state laws. But getting stakeholders to agree on best practices could spur states to accept the notification framework as complying with their laws and, perhaps, motivate Congress to act on national legislation.
What's your thinking on establishing a voluntary data breach notification framework? Share your thoughts below.