Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Senators Float National Data Breach Law, Take Four

Data Security Bill is fourth attempt to craft a national law to supersede legislation now on the books in more than 40 states. But it's weaker than some state laws.

Senate Republicans have introduced draft legislation aimed at creating a single national standard for reporting data breaches.

Dubbed the Data Security and Breach Notification Act of 2012 (S.3333), the legislation was introduced Thursday by Sen. Pat Toomey (R-Pa.). Other backers of the bill include Sens. Olympia Snowe (R-Maine), Jim DeMint (R-S.C.), Roy Blunt (R-Mo.), and Dean Heller (R-Nev.).

The draft bill would also require businesses and government agencies to "take reasonable measures to protect and secure data in electronic form containing personal information." The Federal Trade Commission would enforce the legislation, and could fine organizations that violated the law up to $500,000 per incident.

"This is at least the fourth attempt at passing national legislation in the U.S. to consolidate the more than 40 different state laws currently in place. A single law will simplify compliance and ensure a more uniform notification process when a breach occurs," said Chester Wisniewski, a senior security advisor at Sophos Canada in a blog post.

[ Read about some of this year's biggest data breaches. See 6 Biggest Breaches Of 2012. ]

"Some Republicans in Congress have expressed support for something like the Data Security Act because they prefer a singular, national standard rather than differing state laws," reported The Hill. The bill would override any data breach legislation currently on the books at the state level.

The new bill proposes multiple thresholds for reporting breaches. First, an organization would have to report a breach only if it "reasonably believes [the breach] has caused or will cause identity theft or other financial harm." Also, if the number of records involved total 10,000 or more people, the organization would need to notify the FBI and Secret Service. Any organization that stored data with a third party would face similar requirements for reporting data breaches once they'd been alerted to the breach by the third party. However, breach notifications could be delayed at the request of federal law enforcement agencies when they'd impede an investigation, and they could be delayed indefinitely for national security purposes.

Under the bill, affected U.S. citizens and residents could be notified in one of three ways: by a letter to their postal address, a phone call, or an email. However, email may be a poor choice for attempting to connect with customers. In the recent LinkedIn password breach, for example, many users and customers of the social networking site mistook for spam email alerts about the breach requesting that they reset their passwords.

In cases where such notifications would incur "excessive cost," or when breached organizations don't have a person's contact details, they'd instead be allowed to post a "conspicuous notice" on their website, or to run notifications via print and broadcast media, in areas where people affected by the data breach are located.

Today, all 50 states effectively require that businesses notify their residents when their personal information may have been breached. Most laws are modeled on California's data breach notification law, SB 1386, which went into effect in 2003, that requires any business or agency that suffers a data breach to notify all affected residents of California.

Under various states' laws, however, there can be some important caveats. For example, breaches involving medical information may need to be reported only to a government agency and not otherwise publicly announced.

Companies are keenly aware of data breach notification requirements, and this has led some businesses to store customer data in countries with weak notification laws. On the up side, however, board-level awareness of the threat of data breaches finally became widespread in 2011, after hacktivist groups such as Anonymous and LulzSec targeted businesses and government agencies not for the financial payoff possibilities of their customer information, but simply because they didn't like the organizations.

So how does the Senate's attempt at a national data breach law stack up? For starters, it's unclear what would constitute "reasonable measures," as the bill requires. "What's 'reasonable?' asks a blog post by the administrator of DataBreaches.net, a privacy advocate and data breach information blogger who publishes under the handle "Dissent."

"Although we don't want a bill that would need revision every time new security measures become available, is it really 'reasonable' in today's world to consider unsalted MD5 'reasonable' security?" he said. "How should a data security requirement be written to set the right standard without getting into specific methods?"

Furthermore, the bill is noticeably weaker than laws that are already in effect in many states. According to privacy attorney Kimberly M. Wong at law firm Baker Hostetler, for example, Connecticut--a state that is "in the forefront in protecting the personal information of its residents"--now requires a data breach notification to be made whenever there's a "breach of security." The state's data breach notification law defines such a breach as the "unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."

In other words, the Senate bill would compromise the state-afforded data breach notification protections currently enjoyed by many U.S. citizens and residents. "This bill might benefit businesses, but it certainly doesn't help consumers who live in states with strong laws," said "Dissent" at DataBreaches.net.

InformationWeek is conducting a survey on risk and security in the cloud. Take our InformationWeek 2012 Cloud Security and Risk Survey now. Survey ends June 29.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...