Part of the reason that business is interested in the implementation of a federal consumer data breach notification law is that there is currently a crazy quilt of state legislation -- 38 states and counting -- and compliance is difficult. Here are two perspectives on what “should” be included in a federal data breach notification law. What is your perspective? How would you define these elements at a federal level? Should a federal law be overly inclusive? Should encryption be a “safe harbor”?
From the perspective of businesses, a federal consumer data breach notification law should contain:
- Clear definitions of what is and what is not a “breach”
- Clear standards for providing notification, how that notification is to be provided
- When must notification be provided, e.g., how long after the breach is discovered
- Who must provide notification, the owners of the data or the party responsible for the breach.
- A notification trigger that allows determination of possibility of harm or misuse of the data before notification is required.
- Clear Federal preemption of all similar state laws
- Enforcement by the Federal Trade Commission under rules promulgated by the FTC (like Gramm-Leach-Bliley and CAN-SPAM)
- No private right of action
- “Safe harbor” for encrypted data
Consumer and privacy advocates are opposed to federal legislation if, in their view, it weakens existing state protections. From their view, a federal consumer data breach notification law should contain these measures.
- Companies must notify individuals whose personal information is compromised.
- Notification must occur by written means (electronic or by mail) without unreasonable delay.
- Companies must implement notification procedures and review and update if necessary on an annual basis.
- “Companies” include all entities and individuals conducting interstate transactions that request or store personal information.
- Personal information includes the first and last name of an individual with one or more of the following: date of birth, social security number, account number and driver’s license number.
- Notification should be required without regard to whether there is the possibility for harm.
- Following notification to individuals of the breach, companies must take reasonable steps to change the personal information to prevent unauthorized use of it.
- Private right of action and civil penalties for failure to comply.
- No preemption of more stringent/protective state laws.
What would you add? Delete? Share your thoughts by commenting below. Your comments and suggestions will be compiled and published as a new draft of a proposed federal law in an upcoming issue of CSO magazine. Don’t hold back.
Having worked for and with many Fortune 500 companies, including numerous IT and Business outsourcers, I would include the following:
1) If data was not stored in encrypted format, then $1000 fine per individual information stolen and consumers may sue the company for damages if they can trace their identity fraud back to the theft of data from the company.
2) If the data was encrypted, then the company must provide one year of identity theft protection to those affected at no cost to the consumer.
3) If less than 1000 individuals affected; notification in writing is required.
4) If more than 1000 individuals affected; notification in writing and notification in newspapers, on radio, and on TV is also required.
5) Yearly security audit by an outside auditing firm to verify security methods for data storage for all publicly traded companies and any company private company doing work for them. This includes companies based outside the US who are handling US personal information.
6) All personal information data thefts must be reported within 48 hours of detection to law enforcement, consumers must be notified in writing within 10 business days. If media announcement section is triggered, then newspaper, radio, and TV advertisements must be run within 5 business days.
7) Federal law does not supersede state laws which provide greater protection or invoke higher penalties.
The only way to truly fix these IT related problems, is to establish a GAAP like set of IT practices and provide for CPA like certification of those in the IT industry. Call it GAITP for Generally Accepted IT Practices and CPITP for Certified Public IT Principles. This will allow for more consistent IT policies and practices across Corporate America and provide a means for allowing IT Managers and Executives to stand up to the Business Executives without fear of reprisal for doing what they know to be right. The voluntary ISO and BSA frameworks are a good start, but we need to complete the transformation of IT into a profession governed by a professional association.
In addition to everything said so far,
a) Get rid of the interstate commerce provision. I'm not sure how you'd go about this legally, but we need a single (set of) law(s) that cover intra- and interstate commerce.
b) Reinforce, reiterate, reimplement, and ENFORCE, the original requirement from the Social Security Act that the SSN cannot ever be used for any reason by anyone excepting the Social Security Administration and the individual. No more using it as the unique ID for every database around.
c) Make the breach and notification laws part of the criminal code, not the civil code.
d) Unsustainably large criminal fines and possible jail time for failing to notify individuals after a breach. So large that a multinational would be bankrupted by conviction for nonnotification after a breach exceeding a few thousand identifiers.
e) Painfully large fines and possible jail time for the breach in the first place. Put the penalties at least on par with those for breach of fiduciary duty.
f) Legally enforceable (criminal, not civil) requirement that anyone, and I do mean anyone, public or private, including law enforcement and your doctor, who holds any information on you that constitutes a "personal identifier" under the law provide to the individual, upon request, a _complete_ copy of their files on you, for no more than a nominal copying and mailing cost. Say no more than a dimre or quarter a page for copying/printing and a couple of bucks for mailing.
The bottom line is that these people think, believe, and act like it's their information, not mine. That's a load of bushwa and needs to be corrected immediately.
Heck, maybe just amend the kidnapping legislation to apply the same criminal code to data breaches and failure to notify.
I fail to see why this must become a federal issue and not something to be decided upon by each individual state.
That there is a role that the federal government could apply is true, but an all-encompassing law that completely overrides state law is just as likely to screw things up even worse than doing nothing at all. One of the benefits of having 50 states is that you can try 50 different approaches simultaneously and see which one will work better.
For example, the issue of homosexual marriage is something I hope never becomes a federal issue. Each state should be allowed to follow its own path and decide for itself on this issue, as many already have. And concepts such as a "civil union" would not have been created if a monolithic approach would have been applied to this issue. It is also easier to "vote with your feet" and move from New York to Florida if you disagree with government philosophies and laws than it is to move from the USA to Russia if you don't like these ideas, and if another state is successful or the proposed law doesn't appear to be as controversial in practice, it is easy to convince state legislators to adopt a different political stance on the issue.
It seems as though you also mis-understand the reason for the (much abused) inter-state commerce provision of the U.S. Constitution. This clause was added to limit legislation explicitly because it was feared that a super-powerful federal government would weaken legitimate efforts by individuals states to protect personal liberties. I hope that you see the problems that can come from federal legislation like the Patriot Act when the worst fears of the founding fathers are realized.
The other points I would have to modestly agree with you, although you miss a point with the SSN numbers: Their use is the one way to uniquely name each individual in America, and outlawing the use of SSNs in the manner that you are suggesting is only going to cause the rise of something similar or nearly identical. An SSN is only a name, and not a password to establish identity. Somehow you need some sort of system to distinguish each William Brown that exists in America when there are currently thousands of such individuals. Or any other very common name. Other countries also have similar naming systems that are also meant to do the same thing: distinguish individuals in a unique manner that is also short and simple to store in paper (and computer) files and is easily searched.
Personal information? Wazzat?
Seriously, what is needed is really reform on the credit bureau end. If a credit bureau says that I have taken out a credit card for $20k and charged it up, but I haven't, is that not libel? The real problem here is that we have this identity based finance scheme, plus somehow knowing a name, social security number, etc, is enough to verify an identity? These things are not secret and were never meant to be! This is ridiculous! If somebody is able to convince a credit card company or mortgage broker to issue them credit by providing my name, my social security number, and a few other publicly available bits of info, I really don't care. It should be the credit issuer's loss, and not mine. The real reform is needed needed for afterwards when I go to apply for credit and a credit bureau spreads false statements about me (by attributing the fraudulent transaction to me). Fix this, and the rest will snap in line, real quick.
The same goes for the idea that a credit card number is secret. It is not; it's printed on the card. Every merchant gets their paws on it, which is exactly the problem. Public key crypto has been around for what, 30 years? It's sheer laziness on the credit card companies that they haven't switched over to a decently secure system. But somehow, as it stands right now, people worry about getting their credit card numbers 'stolen'. Once again, until the burden of liability is shifted to those who are truly negligent, nothing will change.
We should be infiormed by companies that they have our personal information. We should also have the possibility to eliminate this information from their database.
This would enable us to follow the data trail and limit the damages ourselves
After all, my personal information belongs to me and you (as company) only have the right to use it as long as I let you - or so it should be
We should be required for a unique account number for each account holder (and none of those umbrella account number spanning several subsidaries)
This model will strike terror at the existing sub-financial industry, specifically credit tracking (i.e., Experian, TransUnion.) In fact, any pending legislation will yank the heart-string of these sub-strata (yet undesirable model) of the financial industry.
To truly address breach of the future, all 3 account numbers would be required to complete any one transaction: merchant/giver, consumer/buyer, arbitrator/clearinghouse. This is the best way to be able to provide the end-user (consumer/buyer) the means to revoke his/her account number, in case, of a breach.
Also, it would provide for suitable privacy (should the consumer require or desire one) by rotation of such account number.
Private right of action provides a 'stick' to ensure that a corporation/company take protecting data seriously, any law without a method to fine/charge the offending company (I will use that term to encompass all corporate entities as well as companies) would in effect create a law that would cost a company nothing or little to ignore.
I suggest it should be considered under consumer protection, i.e. normally under consumer protection laws one can sue to seek 3 times damages from offending companies.
This statement, "Notification must occur by written means (electronic or by mail) without unreasonable delay. " leaves open the discussion of what 'unreasonable' means. I suggest notification be required within 2 business days of the breach being discovered.
No Preemption of existing State Laws, Once again, companies should be held accountable and should a consumer not receive adequate redress through the federal law, they should be able to seek redress through the state and vice versa.
I also advocate that no 'safe harbor' for encryption be allowed as all encryption schemes can in time be broken. Ensuring data integrity/privacy requires securing systems and monitoring for breaches, merely encrypting your data ensures nothing.
Thank you for your time.
Imposing fines on the companies who spill the info AND providing some of that money to the people affected by the incident is a great idea! We always hear about companies being fined, but where does that money go!?!?!?!?
Agree with the fine, but it should increase dramatically for repeat offenders (taking into account the company needing a bit of time to implement the security provisions)
Regarding the "Safe harbor" for encrypted data:
Encryption techniques age badly. DES was good at one time, now it's...well...not so much. The same will happen with other encryption protocols. Safe harbor should only be granted for well-known encryption techniques with no known weaknesses. That way a company can't use DES and then claim 'safe harbor'. The company must also be aware of when the encryption protocols they use are no longer deemed to be secure.
Also, an encrypted file could be stored until such time as attacks become available on the encryption. Sounds unlikely, doesn't it? Encryption doesn't guarantee that someone will *never* be able to read the data; it just means that it's going to take a long long time to read it. A few years ago, the Secure Hash Algorithm (SHA-1), which had been considered robust, was suddenly shown to be vulnerable. What if the same sort of thing happened to AES or another cipher?
So, this boils down to
I would strike:
"Safe harbor" for encrypted data
Encrypted date does not mean the data is safe for several reasons.
1) Company could be using weak (easily breakable) keys
2) Company could be using non-standard encrpytion algorithms
3) Company could be using wrong modes of encrpytion
4) Company encryption keys could have been compromised
5) Encrypted data could be stored in such a way that certain attacks have a much higher success rate, decreasing the potential key-space