12:47 PM

Senators Float National Data Breach Law, Take Four

Data Security Bill is fourth attempt to craft a national law to supersede legislation now on the books in more than 40 states. But it's weaker than some state laws.

Senate Republicans have introduced draft legislation aimed at creating a single national standard for reporting data breaches.

Dubbed the Data Security and Breach Notification Act of 2012 (S.3333), the legislation was introduced Thursday by Sen. Pat Toomey (R-Pa.). Other backers of the bill include Sens. Olympia Snowe (R-Maine), Jim DeMint (R-S.C.), Roy Blunt (R-Mo.), and Dean Heller (R-Nev.).

The draft bill would also require businesses and government agencies to "take reasonable measures to protect and secure data in electronic form containing personal information." The Federal Trade Commission would enforce the legislation, and could fine organizations that violated the law up to $500,000 per incident.

"This is at least the fourth attempt at passing national legislation in the U.S. to consolidate the more than 40 different state laws currently in place. A single law will simplify compliance and ensure a more uniform notification process when a breach occurs," said Chester Wisniewski, a senior security advisor at Sophos Canada in a blog post.

[ Read about some of this year's biggest data breaches. See 6 Biggest Breaches Of 2012. ]

"Some Republicans in Congress have expressed support for something like the Data Security Act because they prefer a singular, national standard rather than differing state laws," reported The Hill. The bill would override any data breach legislation currently on the books at the state level.

The new bill proposes multiple thresholds for reporting breaches. First, an organization would have to report a breach only if it "reasonably believes [the breach] has caused or will cause identity theft or other financial harm." Also, if the number of records involved total 10,000 or more people, the organization would need to notify the FBI and Secret Service. Any organization that stored data with a third party would face similar requirements for reporting data breaches once they'd been alerted to the breach by the third party. However, breach notifications could be delayed at the request of federal law enforcement agencies when they'd impede an investigation, and they could be delayed indefinitely for national security purposes.

Under the bill, affected U.S. citizens and residents could be notified in one of three ways: by a letter to their postal address, a phone call, or an email. However, email may be a poor choice for attempting to connect with customers. In the recent LinkedIn password breach, for example, many users and customers of the social networking site mistook for spam email alerts about the breach requesting that they reset their passwords.

In cases where such notifications would incur "excessive cost," or when breached organizations don't have a person's contact details, they'd instead be allowed to post a "conspicuous notice" on their website, or to run notifications via print and broadcast media, in areas where people affected by the data breach are located.

Today, all 50 states effectively require that businesses notify their residents when their personal information may have been breached. Most laws are modeled on California's data breach notification law, SB 1386, which went into effect in 2003, that requires any business or agency that suffers a data breach to notify all affected residents of California.

Under various states' laws, however, there can be some important caveats. For example, breaches involving medical information may need to be reported only to a government agency and not otherwise publicly announced.

Companies are keenly aware of data breach notification requirements, and this has led some businesses to store customer data in countries with weak notification laws. On the up side, however, board-level awareness of the threat of data breaches finally became widespread in 2011, after hacktivist groups such as Anonymous and LulzSec targeted businesses and government agencies not for the financial payoff possibilities of their customer information, but simply because they didn't like the organizations.

So how does the Senate's attempt at a national data breach law stack up? For starters, it's unclear what would constitute "reasonable measures," as the bill requires. "What's 'reasonable?' asks a blog post by the administrator of, a privacy advocate and data breach information blogger who publishes under the handle "Dissent."

"Although we don't want a bill that would need revision every time new security measures become available, is it really 'reasonable' in today's world to consider unsalted MD5 'reasonable' security?" he said. "How should a data security requirement be written to set the right standard without getting into specific methods?"

Furthermore, the bill is noticeably weaker than laws that are already in effect in many states. According to privacy attorney Kimberly M. Wong at law firm Baker Hostetler, for example, Connecticut--a state that is "in the forefront in protecting the personal information of its residents"--now requires a data breach notification to be made whenever there's a "breach of security." The state's data breach notification law defines such a breach as the "unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."

In other words, the Senate bill would compromise the state-afforded data breach notification protections currently enjoyed by many U.S. citizens and residents. "This bill might benefit businesses, but it certainly doesn't help consumers who live in states with strong laws," said "Dissent" at

InformationWeek is conducting a survey on risk and security in the cloud. Take our InformationWeek 2012 Cloud Security and Risk Survey now. Survey ends June 29.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.