UPDATED: WASHINGTON — The Federal Trade Commission (FTC) told a Congressional
subcommittee today it makes sense to pass a national data breach disclosure
law. The more difficult issue, though, is when to send the notice.
In the wake of widespread, highly publicized data breaches by ChoicePoint,
LexisNexis, Bank of America and a handful of universities, Congress is holding a series of
hearings on the obligations of data brokers.
One of the most popular approaches favored by lawmakers in both the House
and the Senate is a federal disclosure law based on a California statute
that requires data brokers to inform consumers of unencrypted breaches of
their personal information.
Currently, California is the only state to impose such a requirement on data
brokers.
“[A] step to consider would be a workable federal requirement for notice to
consumers when there has been a security breach that raises a significant
risk of harm to consumers,” Lydia Parnes, director of the FTC’s Bureau of Consumer Protection, told a House Financial Services Committee panel.
While the idea of a national disclosure law is gaining favor in Congress,
there is also a concern of overkill. Two weeks ago, Rep. Michael Oxley,
chairman of the House Financial Services Committee, said he
was concerned there will be a “headlong rush for notification in every
instance.”
So far this year, only a small percentage of the cases of data breaches have
actually resulted in any fraudulent activity.
For example, although Bank of
America recently revealed that 15 data backup tapes containing more than a
million records were lost during transport to a backup data center, only two
of the lost tapes included customer information. The other three tapes held non-sensitive backup software.
Should consumers be notified of every breach of data?
“The trigger for notice is probably the most difficult issue here,” Parnes
said. “They may get so many notices, they may start ignoring them and when
there is a notice that represents a real threat, they won’t act on it.”
She also had concerns that too many notices will result in consumer alerts
on their consumer reports when there is really no problem.
“That can create problems for the consumer and the institution as well,” she
said.
The handful of House members attending the hearing again raised the issue of
encrypted and unencrypted data. Sen. Dianne Feinstein (D-Calif.) has
introduced legislation that would require the disclosure of a data breach of
both encrypted and unencrypted data.
Technology lobbyists and trade groups consider encrypted data to be a good-faith measure of adequate security protection. At a minimum, they argue,
data brokers who encrypt their data should face lesser liability for a data
breach than brokers dealing in unencrypted data.
Both the FTC and the Federal Deposit Insurance Corporation (FDIC), which
also testified Wednesday, dodged questions about encrypted data.
Sandra Thompson, deputy director at the FDIC, told the panel, “What works
for one institution may not work for another institution. The FDIC really
tends to shy away from proscribing specific standards, such as encrypted data,
because we want our institutions to use a flexible approach.”
Ultimately, the FTC’s Parnes said, once there’s been a breach, “That horse
is out of the barn.”
She added, “The most immediate need is to address the risks to the security
of the information. At the outset, companies should take steps to prevent
breaches before they happen.”