RealTime IT News

Data Breach Disclosure Overkill?

UPDATED: WASHINGTON -- The Federal Trade Commission (FTC) told a Congressional subcommittee today it makes sense to pass a national data breach disclosure law. The more difficult issue, though, is when to send the notice.

In the wake of widespread, highly publicized data breaches by ChoicePoint, LexisNexis, Bank of America and a handful of universities, Congress is holding a series of hearings on the obligations of data brokers.

One of the most popular approaches favored by lawmakers in both the House and the Senate is a federal disclosure law based on a California statute that requires data brokers to inform consumers of unencrypted breaches of their personal information.

Currently, California is the only state to impose such a requirement on data brokers.

"[A] step to consider would be a workable federal requirement for notice to consumers when there has been a security breach that raises a significant risk of harm to consumers," Lydia Parnes, director of the FTC's Bureau of Consumer Protection, told a House Financial Services Committee panel.

While the idea of a national disclosure law is gaining favor in Congress, there is also a concern of overkill. Two weeks ago, Rep. Michael Oxley, chairman of the House Financial Services Committee, said he was concerned there will be a "headlong rush for notification in every instance."

So far this year, only a small percentage of the cases of data breaches have actually resulted in any fraudulent activity.

For example, although Bank of America recently revealed that 15 data backup tapes containing more than a million records were lost during transport to a backup data center, only two of the lost tapes included customer information. The other three tapes held non-sensitive backup software.

Should consumers be notified of every breach of data?

"The trigger for notice is probably the most difficult issue here," Parnes said. "They may get so many notices, they may start ignoring them and when there is a notice that represents a real threat, they won't act on it."

She also had concerns that too many notices will result in consumer alerts on their consumer reports when there is really no problem.

"That can create problems for the consumer and the institution as well," she said.

The handful of House members attending the hearing again raised the issue of encrypted and unencrypted data. Sen. Dianne Feinstein (D-Calif.) has introduced legislation that would require the disclosure of a data breach of both encrypted and unencrypted data.

Technology lobbyists and trade groups consider encrypted data to be a good-faith measure of adequate security protection. At a minimum, they argue, data brokers who encrypt their data should face lesser liability for a data breach than brokers dealing in unencrypted data.

Both the FTC and the Federal Deposit Insurance Corporation (FDIC), which also testified Wednesday, dodged questions about encrypted data.

Sandra Thompson, deputy director at the FDIC, told the panel, "What works for one institution may not work for another institution. The FDIC really tends to shy away from proscribing specific standards, such as encrypted data, because we want our institutions to use a flexible approach."

Ultimately, the FTC's Parnes said, once there's been a breach, "That horse is out of the barn."

She added, "The most immediate need is to address the risks to the security of the information. At the outset, companies should take steps to prevent breaches before they happen."