How Broad a Data Breach Disclosure Law?

WASHINGTON — And now for the hard part: just how would a national data
breach disclosure law work?

With bills now in the House and the Senate that would force data brokers and financial institutions to inform consumers of a breach, Congress is looking at the nitty-gritty details of the legislation.

“One of my concerns, given the dramatic rise in recent reports on data braches, is there will be a headlong rush for notification in every instance,” House Financial Services Committee Chairman Michael Oxley (R-Ohio) said at a Capitol Hill hearing.

The problem, Oxley suggested, is overkill.

“When no evidence surfaces to indicate their information has been misused,
consumers may begin to ignore those notices as just that many more pieces of
unsolicited junk mail,” he said.

According to Oxley, only a small percentage of the highly publicized cases
of data breaches have actually resulted in any fraudulent activity.

For example, Bank of America recently revealed that data backup tapes containing more than a million records were lost during transport to a backup data center. A total
of 15 tapes were shipped to the data center with five disappearing. Two of
the lost tapes included customer information while the other three tapes
held non-sensitive, backup software.

“As to the tapes themselves, sophisticated equipment, software and operator
expertise are all required to access the information,” said Barbara Desoer of Bank of America. “In
addition, specific knowledge of the manner in which the data is stored, that is, the fragmented nature of the data and the steps required to reassemble it would be required.”

Desoer said the Secret Service has informed Bank of
America that no evidence exists to indicate the tapes were wrongfully
accessed or their content compromised.

Nevertheless, Desoer said, Bank of America supports a national disclosure

“Our recent actions demonstrate our belief that customers have a right to
know when there is reason to believe that their information may have been
compromised,” she said.

Data broker ChoicePoint, which has also suffered embarrassing data breaches,
also threw its support to a national law.

“We support a pre-emptive national law that would provide for notification
to consumers and a single law enforcement point of contact when personally
identifiable information has fallen into inappropriate hands,” Don McGuffy,
a ChoicePoint senior vice president, said.

The breach disclosure bills in the House and Senate are based on
California’s new legislation, which requires a business or government agency to notify an individual in writing or by e-mail when it is believed that
unencrypted personal information has been compromised.

Sen. Diane Feinstein’s bill goes beyond the California law to include encrypted data and allows individuals to put a seven-year fraud alert on their credit
report. The legislation proposes a $1,000 per individual civil fine for
failure to notify or not more than $50,000 per day while the failure to
notify continues.

News Around the Web