Security Bytes

Jun 4 2007   1:31PM GMT

Do we need a federal breach notification law?

David Schneier David Schneier Profile: David Schneier

There’s been a lot of talk lately in security circles about the possibility of Congress passing a federal breach-notification bill, similar to the landmark California measure. Advocates of this argue that if state notification laws are good, then a federal law would be even better, as it would have a farther reach and thereby give consumers more information about data thefts and security lapses. However, at the Gartner IT Security Summit here in Washington, a number of folks I’ve talked to have said it’s unlikely that Congress will pass a federal breach law anytime soon.

Why? The main reason is that California’s bill and some of the other state laws effectively act as national laws in many ways already. If a large company such as TJX or BJ’s has a few million customer records stolen, not only does the company have to notify those customers, it typically has to make a public disclosure of the incident as well. That disclosure gets picked up by national media outlets, and the news is everywhere within an hour or two. Experts say there’s little that a national law could add to that mix, aside from some additional federal penalties and fines. Of course that line of reasoning assumes that everyone reads the paper or watches CNN, which isn’t necessarily true.

And then there are other folks who would like to see the existing notification laws softened or taken away altogether. Greg Crabb, program manager for the Postal Inspection Service’s International Affairs Group, said during his keynote this morning that he sees no reason that public companies should have to disclose their security foibles to the general public. “I just don’t like, as a law enforcement agent, companies having to put information about vulnerabilities in their financial disclosures,” Crabb said, referring to some of the requirements of Sarbanes-Oxley. “Why are we telling a bunch of people who don’t need to know your security vulnerabilities? Why isn’t this disclosed confidentially to the government?”

Interesting questions, to be sure. The answer I’ve always heard is that investors or people who might be considering investing have a right to all of the material information about the company, regardless of how embarrassing it might be.

Technorati Tags: , , ,

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Kevin
    What is really needed is a federal data security law that defines minimum standards for overall data security and defines the levels and types of ownership of data, so responsibilities for protecting it are clearly stated. For example, if a data record is created by the Department of Motor Vehicles in the state of Oklahoma, then that DMV is responsible for providing the best possible security for that data, using the data security law as a beginning and continuing with best practices or other security standards. Add to the data security law requirements for what to do in case of problems and use the California and newly passed New York laws as starting points. Also what is needed is to include data privacy and the ability for people to review and correct wrong information about them in a timely manner. The big three credit bureaus do not allow easy correction of wrong data, and they populate that incorrect data to those who purchase credit reports. It gets worse if you are the victim of identity theft.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: