When Security-Breach Legislation Is the Right Thing to Do
 |
 |
 |
 |
|
|
|
|
|
 |
   |
| When Security-Breach Legislation Is the Right Thing to Do By Cathy Bump Federal lawmakers are sharpening their pencils to draft national security breach legislation that would help protect consumer data from identity theft and other misuse. Several bills have been introduced in the Energy and Commerce Committee and also the Senate Judiciary Committee. The Senate Commerce Committee reported out legislation shortly before lawmakers adjourned for the August break, and numerous states have also recently passed security breach laws. All are following in the footsteps of state lawmakers in California, who deserve a round of applause from every consumer or employee whose personal information is potentially vulnerable to identity thieves. This includes, of course, anyone who shops online, uses credit cards on Web sites, or engages in any type of transaction requiring a credit card or other sensitive information. Fran Maier, executive director and president of TRUSTe testified in support of following California’s lead, on July 28th before the United States House of Representative’s Subcommittee on Commerce, Trade, and Consumer Protection regarding a draft of data protection legislation. The panel of witnesses included Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, Daniel Burton, vice president of Entrust, Inc., and Mike Hintze, Senior Attorney, Microsoft. A transcript of her testimony and of other witnesses will be available eventually on the committee website at http://energycommerce.house.gov/108/Hearings/07282005hearing1605/hearing.htm California’s two-year-old breach notice law has made the single biggest contribution to educating consumers about the vast exposure of their personal information across corporate networks and databases. By requiring companies to notify consumers whose data has been stolen or otherwise leaked, the California law has forced companies to take into account the potential of negative publicity and brand damage, should consumer data in their control be breached. The publicity surrounding recent breaches has also focused increased attention on the relationship between such data breaches and the issue of identity theft. Without imposing highly prescriptive technology or other security requirements, the California law has successfully created strong incentives for companies to responsibly address the security threats likely to lead to identity theft or other harm. By requiring notice to impacted consumers, the California model has also served to empower consumers by providing them notice of a breach, and therefore the opportunity to mitigate its impact. For example, consumers whose data has been leaked can more closely monitor their credit reports for fraudulent activity. TRUSTe supports legislation that follows California’s lead in taking a market-driven approach to motivate companies to prioritize security. Given the changing nature of the overall environment, technologies, and emerging threats, such a non-prescriptive approach best allows companies the necessary flexibility to address security threats in ways most appropriate and effective for them. TRUSTe also applauds the California approach of extending breach notice requirements to government agencies, as well as all segments of private business, with no industry category being exempted. Consumers should be protected equally, regardless of who their data has been stolen from. As a non-profit self-regulatory agency that concerns itself with balancing the needs of a modern economy and the benefits and convenience of an online world, with respect for individual privacy rights, we applaud the simplicity and completeness with which the recent rash of security breaches is helping corporate America move towards responsible and comprehensive data privacy and security measures. In communicating with consumers about potential data security breaches, companies should disclose the following:
Some companies would like to see exemptions or “safe harbors” for encrypting data or otherwise demonstrating that some means to provide reasonable security has been taken, but efforts to secure consumer data will constantly be challenged by determined hackers and fraudsters. Previous attempts by the credit card industry to self-regulate through auditing failed to prevent the recent data breach at CardSystems, the largest hack of financial data seen yet. In regard to the argument that consumers should not be inundated with notices because the notices would quickly lose their effectiveness, the parameters of the California security breach notification law are instructive. This law, in effect for over two years, seems to have struck the right balance in this area. Consumers are receiving appropriate and useful notices, but there does not appear to have been an unmanageable deluge of them. Although anecdotal, the fact that the California statute has largely been followed as a nationwide standard makes it a good indicator of the potential impact of a nationwide bill such as this one. We also note that the marketplace approach taken by the California statute, as well as by the subsequent state laws and federal breach notice bills, prompts a positive cause-and-effect dynamic. A nationwide breach-notice requirement will incent companies to improve their practices -- in the long run resulting in fewer breaches and consequently, over time, fewer notices. TRUSTe believes that this approach generates a much better outcome than setting the initial threshold for a breach notice requirement so high that few breaches generate notice requirements, thereby potentially decreasing the motivation to prioritize security. Cathy Bump is Vice President of Policy & Legal at TRUSTe. | | 
|
| © 1997 - 2008 TRUSTe. All Rights Reserved. |
