RealTime IT News

Data Breach Law: Why Tech Doesn't Get It

Fix spam? Trust us, tech tells Washington when it wants to pass laws to fight it. We'll fix it. Spyware? Not to worry, private enterprise has the solution too.

Congress first introduced anti-spam bills in 1999. Three congresses and five years later, the 108th Congress passed the CAN-SPAM Act. Lawmakers were so far behind the curve when they finally acted, the legislation is widely considered a failure.

As early as 2000, Congress introduced an anti-spyware bill. Proponents are still waiting with less-than-baited breath for Congress to act. Spyware, meanwhile, continues to spread like wildfire.

Now comes the idea of a national data breach disclosure law, a concept so simple even Congress gets it. Too bad tech doesn't.

Lawmakers are first and foremost retail politicians. This they know: voters are shocked that until California passed a disclosure law, companies such as ChoicePoint and LexisNexis didn't even bother to tell consumers their personal information had been exposed to possible ID theft.

The law didn't require it, so they didn't tell us. In fact, financial institutions went so far in 2004 as to sink a proposal by Democratic Sen. Dianne Feinstein of California: if a company exposes your personal data to possible ID theft, it must tell you.

Feinstein is back this year with the same proposal, but this time Congress is listening. Tech is not.

The day after Feinstein re-introduced her legislation, the Information Technology Association of America (ITAA), one of the more prominent tech trade groups in Washington, came right out and said encrypted data shouldn't be included in the disclosure law.

"Using strong encryption to protect consumer records makes it extremely unlikely that all but the most determined and technologically sophisticated criminal will attempt to breach them," ITAA head honcho Harris Miller said in a press release. In other words, trust us.

Apparently, the ITAA thinks it would be perfectly OK for companies that encrypt their data to refrain from telling us about their embarrassing hacks. Does Miller really believe encrypted data is so secure Americans shouldn't be concerned about their encrypted credit-card numbers being stolen? Not really, it turns out, only that it's bad for business.

"Including encrypted data in a breach notification bill takes away one important incentive vendors have to encrypt the data in the first place," he said.

Not that the ITAA isn't concerned about the little guy. If both encrypted and unencrypted data are included in a national disclosure law, as Feinstein wants, the ITAA says it is concerned consumers will be confused about the definitions in the notification letter.

So is it better to not tell consumers about hacks on their personal data than to have them confused?

Not so, an ITAA spokesman said Friday, stressing that the ITAA supports a national disclosure law. But, he said, the law should focus on the ID theft and not the breach itself.

"Exposed is a loaded term," he said. "If there is no realistic probability the information was exposed to the bad guys, companies will be forced to send out a lot of false-positive notices."

That, the spokesman posited, will just lead to consumer confusion, a story line picked up by House Financial Services Committee Chairman Michael Oxley (R-Ohio).

Oxley said at a hearing earlier this week he was worried Congress is getting into a "headlong rush for notification in every instance [of a data breach]. When no evidence surfaces to indicate their [consumers] information has been misused, consumers may begin to ignore those notices as just that many more pieces of unsolicited junk mail."

Despite Oxley's quibbling and the ITAA's self-serving logic, a national disclosure law is a proposal with legs in the 109th Congress. It is widely believed that some form of Feinstein's bill will be passed if not by the end of the year, then certainly before next year's elections.

"It's always good to bring home the bacon just before an election," one Capitol Hill tech staffer said. "They'll be able to campaign and say, 'Look what I did to help make your data more secure."

Tech would be wise to get out in front of this issue instead of focusing on ways to dilute it. The more it stalls the bill in Washington, the more time 50 different states will have to create their own unique data breach disclosure laws. Compliance with so many different jurisdictions would be a regulatory nightmare for private enterprise.

It's going to happen, tech. Climb on board or be run over by the bandwagon.

Roy Mark is Washington D.C. bureau chief for internetnews.com