The news that Congress has teed up national data breach notification legislation yet again hardly gets the blood stirring. Yet another attempt to replace the mishmash of 40-plus state breach notification laws is, as always, a good idea, but we have been down this route several times over the last decade.
The newest version, introduced by Pennsylvania Republican Sen. Pat Twoomey and four other Republican senators is a little weaker and vaguer than the bill introduced by the Obama Administration last year. It is somewhat misleading entitled, “Data Security and Breach Notification Act of 2012,” but doesn’t seem to offer anything new in the way of data security. What it would do is simplify disclosure requirements for businesses that suffer data breaches. Organizations that suffer breaches of personally identifiable information (PII) now have to account for all the states’ requirements, which are similar in nature, patterned after the first one California SB 1386. In effect, SB 1386 created de facto national law in that anyone doing business with California residents (and that covered pretty much anyone doing business on the Internet) had to disclose PII breaches. As more states jumped aboard, it increasingly became standard practice to simply notify everyone whose data may have been exposed.
Once upon a time, data breach disclosures were rare, occurring only if they managed to become public or the victim organization decided to preempt possible disclosure by a third party to control the damage. Disclosure was simply deemed bad for business.
Organizations that do business across the country may typically take the most stringent state disclosure requirements into account and follow those.
Rather a specific time limit, it requires disclosure “shall be made as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore integrity of the data system that was breached.” As other disclosure laws, it exempts encrypted or redacted data from the requirements. Security folks blanch at this, because it doesn’t take into account key management or the strength of the encryption, which could render the encryption somewhat academic.
Generally, state laws that exempt encrypted data do not provide safe harbor if the encryption keys are compromised, and some states make no distinction between encrypted and unencrypted data, so this federal legislation would seem to weaken that aspect of disclosure. For these reasons, among others, it is unlikely this legislation will be well received by the Democrat- controlled Senate, and it is a good bet that this legislation, like its predecessors and, frankly, every attempt to pass federal data protection legislation, will fail.