How Broad a Data Breach Disclosure Law?
Page 1 of 1
WASHINGTON -- And now for the hard part: just how would a national data breach disclosure law work?
With bills now in the House and the Senate that would force data brokers and financial institutions to inform consumers of a breach, Congress is looking at the nitty-gritty details of the legislation.
"One of my concerns, given the dramatic rise in recent reports on data braches, is there will be a headlong rush for notification in every instance," House Financial Services Committee Chairman Michael Oxley (R-Ohio) said at a Capitol Hill hearing.
The problem, Oxley suggested, is overkill.
"When no evidence surfaces to indicate their information has been misused, consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail," he said.
According to Oxley, only a small percentage of the highly publicized cases of data breaches have actually resulted in any fraudulent activity.
For example, Bank of America recently revealed that data backup tapes containing more than a million records were lost during transport to a backup data center. A total of 15 tapes were shipped to the data center with five disappearing. Two of the lost tapes included customer information while the other three tapes held non-sensitive, backup software.
"As to the tapes themselves, sophisticated equipment, software and operator expertise are all required to access the information," said Barbara Desoer of Bank of America. "In addition, specific knowledge of the manner in which the data is stored, that is, the fragmented nature of the data and the steps required to reassemble it would be required."
Desoer said the Secret Service has informed Bank of America that no evidence exists to indicate the tapes were wrongfully accessed or their content compromised.
Nevertheless, Desoer said, Bank of America supports a national disclosure law.
"Our recent actions demonstrate our belief that customers have a right to know when there is reason to believe that their information may have been compromised," she said.
Data broker ChoicePoint, which has also suffered embarrassing data breaches, also threw its support to a national law.
"We support a pre-emptive national law that would provide for notification to consumers and a single law enforcement point of contact when personally identifiable information has fallen into inappropriate hands," Don McGuffy, a ChoicePoint senior vice president, said.
The breach disclosure bills in the House and Senate are based on California's new legislation, which requires a business or government agency to notify an individual in writing or by e-mail when it is believed that unencrypted personal information has been compromised.
Sen. Diane Feinstein's bill goes beyond the California law to include encrypted data and allows individuals to put a seven-year fraud alert on their credit report. The legislation proposes a $1,000 per individual civil fine for failure to notify or not more than $50,000 per day while the failure to notify continues.