Breach Notification Proposal Lacks Teeth
Experts Say Obama's New Plan Too VagueObama's proposal is part of a U.S. cybersecurity agenda released May 11 by the White House. [See Obama Offers Breach Notification Bill.]
If enacted, the breach notification policy would apply to for-profit and not-for-profit businesses that use, access, transmit, store, dispose of or collect sensitive PII about more than 10,000 individuals during any 12-month period. The Federal Trade Commission would be responsible for enforcing the law, along with state attorneys general, and civil penalties for non-compliance could total $1 million, unless the violation is determined unintentional.
Obama's proposal would trump existing state notification laws currently on the books in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands. But the policy would not apply to U.S. healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has requirements that are somewhat similar.
Yet, Neal O'Farrell, founder of the Identity Theft Council, a grassroots network that provides support for victims of identity theft, says the proposal, as written, won't have much impact. "It's very vague," he says, and lacks any mandates for consumer education and support, as well as a way to classify breaches. [See Battling 'Breach Fatigue.']
"I don't see any mention of e-mails being considered sensitive data. Would that mean Epsilon would not be covered by the legislation?" O'Farrell asks. And "capping civil penalties at $1 million seems too generous to the offending organizations," he says. "I think what they did was create a clearer way for breached entities to respond, but then they let them off too easy."
Open Questions
Philip Alexander oversees wholesale risk and compliance for Wells Fargo Bank and wrote the book Data Breach Disclosure Laws - a State by State Perspective, now in its second edition. He and O'Farrell question these elements of the federal proposal:Impact on Public Sector. "For one, it focuses on the private sector," Alexander says. In contrast, about one-third of current state-level breach notification laws also focus on business entities, he says. "The other two-thirds are more self-policing, holding state agencies accountable for breach notification. So, if this goes through, I have to wonder how it would impact state agencies," he says.
Role of Credit Bureaus. In addition to notifying the FTC and consumers affected by a breach, businesses would have to notify the local news media if more than 5,000 people were impacted within any state. Businesses also would have to notify national credit reporting agencies. But O'Farrell says that mandate will likely hold little water.
"Notifying the credit bureaus of the breach seems vague," he says. "There is no mention about whether they identify to the bureaus which consumers have been affected and what the bureaus should do. I assume the bureaus will do nothing."
Exemptions and Encryption. The proposal also includes a financial fraud prevention exemption for businesses that participate in security programs that block sensitive PII and notify consumers after security breaches that result in fraud or unauthorized transactions. Alexander says that stipulation seems somewhat unnecessary. "Most financial institutions are already doing a lot of this," he says.
What Alexander finds more interesting is the proposal's lacking mandates for encryption - a step back from some of the tougher state laws, such as those in Nevada and Massachusetts. The proposal does, however, note that breaches do not have to be reported if the breached data "was rendered unusable, unreadable or indecipherable," a safe harbor, of sorts, for encryption. But no explicit mandate for encryption is included, as it has been at the state level, in some cases.
"Those newer state laws say you must encrypt certain data," Alexander says. "If you don't encrypt, you can be fined, even if you aren't breached," he says.
But that's a hard standard to enforce, Alexander says, and auditing private businesses to ensure data and data bases are encrypted poses its own challenges. That said, businesses, especially in the financial arena, need to be responsible.
"Basically, every bank or business that has sensitive information, especially financial information, if they are not encrypting data, they need to," Alexander says. "It's borderline irresponsible not to encrypt. We've known for a long time that this is vulnerability. So, if you have sensitive information, you have to encrypt it."
Definition of 'Sensitive.' Another point the federal proposal does not broach: How businesses define "sensitive" information. Alexander says most businesses and financial institutions are coming up with their own internal ways to define what is sensitive. But some guidance from the government would help smaller entities that struggle with knowing how to handle and protect certain pieces and parts of consumer information.
"Some things are sensitive in and of themselves, and sometimes information is sensitive only if it's combined with something else," Alexander says. And more details about what businesses should do internally after a breach, as part of a post-risk assessment, would be beneficial as well, he says.
Another point about the federal breach notification proposal is that, like HITECH, it allows organizations to conduct their own risk assessments after a breach, and then determine whether the breach merits reporting. Privacy advocates have been critical of that so-called self-policing aspect of HITECH, and the same criticism is like to surface here. But Alexander says this proposal likely has a long way to go before actually becoming a law.
"At the end of the day, I don't think we'll see this become a law anytime soon," Alexander says. "I don't think anything is going to move quickly over the next year and a half."