When Is a Breach a Breach?

Congress is — again — promising a national data breach notification law. Of course, we’ve heard that talk before, and two years and 100 million records exposed to possible identity theft later, it has all proved to be so much hot air.

Republicans and Democrats will tell you a federal breach notification law is not a political issue. Trotting out the most overused political speak on Capitol Hill, lawmakers insist it is a bipartisan issue. All agree it’s a good idea.

So what happened in the 109th Congress? Politics.

In the Senate, the Judiciary Committee thought it had jurisdiction but so, too, did the Commerce Committee. The same turf battle broke out in the House. In the end, nothing got done since the politicians couldn’t decide who would get credit.

This time around, the newly empowered Democrats say things will be different.

“We will work cooperatively with other committees to resolve jurisdictional issues and with stakeholders to resolve policy issues,” Rep. John Dingell (D-Mich.), the new chairman of the Energy and Commerce Committee, said Thursday.

Dingell’s comments came as he introduced a package of privacy legislation that includes a breach notification bill sponsored by Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.). In the Senate, Dianne Feinstein and Patrick Leahy have submitted separate bills involving breach notification.

All three bills are similar to legislation introduced in the 109th Congress. And bipartisan or not, they underscore the biggest challenge facing lawmakers in turning the bills into law: When is a breach a breach? Who has to disclose what information? And who gets an exemption?

Consumer groups say it’s a simple call. If a person’s personal data is exposed to potential identity theft, a private company or government agency suffering the breach should inform the consumer. That, however, is not going to happen.

Leahy’s bill provides a safe harbor for the very people who lost the data in the first place and leaves it to them to determine whether there is any “significant” risk that the breach resulted or will result in harm to the consumer. For financial institutions, no breach notification is required if the breach results in no charges to the consumer’s account.

Feinstein’s bill provides the same safe harbors as Leahy’s. Both bills would preempt any existing state laws, tougher or not.

The House bill introduced by Rush and Stearns Thursday takes a different approach. The Data Accountability and Trust Act (DATA Act) still depends on a company making a risk assessment of the breach, but lowers the notification threshold to a “reasonable risk” of theft, fraud or other unlawful conduct.

The bill also provides a safe harbor from notification if the stolen or lost data is encrypted or uses other methods that render data in electronic form unreadable or indecipherable.

The encryption safe harbor, though, is no free ride.

“Any presumption [that the encryption or other method safeguards data] may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised,” the bill states.

It’s a notion endorsed by Liz Gasster, the acting director and general counsel of the Cyber Security Industry Alliance. “Whatever level [of encryption] there is, there must be a [legal] mechanism for updating. You know, 64-bit encryption for a time was considered strong.”

Rush and Stearns’ bill is a long way from being a law, as are Leahy or Feinstein’s proposals. Obviously, compromises are in the making for any of the proposals to become reality. Compromises, it should be noted, that have not been forthcoming in the past.

Meanwhile, Congress moves into a third year of failing to pass a national breach notification law since the ChoicePoint data breach. With new leadership, perhaps something different will result in the 110th Congress.

Let’s hope so. As Gasster points out, “Accidents keep happening and criminals keep trying.” Now, if only Congress will keep trying.

News Around the Web