There’s been a lot of talk lately in security circles about the possibility of Congress passing a federal breach-notification bill, similar to the landmark California measure. Advocates of this argue that if state notification laws are good, then a federal law would be even better, as it would have a farther reach and thereby give consumers more information about data thefts and security lapses. However, at the Gartner IT Security Summit here in Washington, a number of folks I’ve talked to have said it’s unlikely that Congress will pass a federal breach law anytime soon.
Why? The main reason is that California’s bill and some of the other state laws effectively act as national laws in many ways already. If a large company such as TJX or BJ’s has a few million customer records stolen, not only does the company have to notify those customers, it typically has to make a public disclosure of the incident as well. That disclosure gets picked up by national media outlets, and the news is everywhere within an hour or two. Experts say there’s little that a national law could add to that mix, aside from some additional federal penalties and fines. Of course that line of reasoning assumes that everyone reads the paper or watches CNN, which isn’t necessarily true.
And then there are other folks who would like to see the existing notification laws softened or taken away altogether. Greg Crabb, program manager for the Postal Inspection Service’s International Affairs Group, said during his keynote this morning that he sees no reason that public companies should have to disclose their security foibles to the general public. “I just don’t like, as a law enforcement agent, companies having to put information about vulnerabilities in their financial disclosures,” Crabb said, referring to some of the requirements of Sarbanes-Oxley. “Why are we telling a bunch of people who don’t need to know your security vulnerabilities? Why isn’t this disclosed confidentially to the government?”
Interesting questions, to be sure. The answer I’ve always heard is that investors or people who might be considering investing have a right to all of the material information about the company, regardless of how embarrassing it might be.