WASHINGTON — U.S. Senator Dianne Feinstein (D-Calif.) renewed her call for a federal data breach disclosure law Wednesday afternoon, seeking to stir new life into her almost four-year-old legislation known as the Notification of Risk to Personal Data Act.
If her attendance at yesterday’s hearing on data privacy is any indication, Feinstein will need a big megaphone. Only Feinstein, the chairman of the Subcommittee on Terrorism, Technology and Homeland Security, and ranking Republican member John Kyl showed up. Kyl left 30 minutes after the hearing began.
“The law allows people to take steps to protect themselves from identity theft — but that is of no use unless people know they are at risk,” Feinstein said. “The problem of identity theft is persistent, and it will not be solved without a strong effort from Congress.”
Feinstein’s bill failed to raise much interest when it was introduced in 2003. After the ChoicePoint data breach in 2005, Feinstein regrouped in the 109th Congress and attached the legislation to Sen. Patrick Leahy’s (D-Ver.) larger privacy bill. The Senate Judiciary Committee approved the measure, but the bill never reached the Senate floor for a vote.
This time around, Feinstein says she wants to push the legislation as a standalone bill so “people’s data that is at risk can be notified.”
The bill would require businesses and government agencies to notify consumers under certain circumstances of data breaches. Businesses would be allowed to make a “risk assessment” of a data breach and only notify consumers if there is “significant” risk of harm.
Businesses would, however, be required to notify the Secret Service of the breach. If the Secret Service disagrees with the risk assessment, then the business would be required to mount a data breach disclosure campaign.
Feinstein said her proposal mandates a risk assessment, but does not legislate the actual protocol of the assessment. Witnesses at the hearing applauded Feinstein’s efforts, but questioned some of the proposals in the bill, particularly the risk assessment requirement.
“How you conduct risk analysis can be very tricky,” Joanne McNabb, chief of the California Office of Privacy Protection, told Feinstein. “You don’t have forensic facts to say that data was actually compromised.”
James Davis, UCLA’s chief information officer and vice chancellor for information technology, agreed with McNabb, adding, “The definition of ‘significant risk’ is very difficult.”
In November, UCLA discovered a breach of the university’s computer system when system administrators noticed an unusually high volume of activity on a campus data center. The information potentially exposed to possible identity theft – Social Security numbers, dates of birth and home addresses — included more than 800,000 UCLA students, faculty and staff.
“Computer forensics uncovered evidence that significantly confirmed only a small percentage of the 800,000 individuals…had their Social Security numbers accessed and needed notification under California law,” Davis said. “The campus then faced a difficult decision about whether to notify the vast remainder of potentially affected individuals in the absence of significant confirming technical evidence.”
UCLA ultimately decided to notify all 800,000 of the data breach. Notification began in December and involved the U.S. mail, e-mails, media notices and establishing phone banks in 24 locations around California. To date, the UCLA hotlines have received almost 36,000 calls.
“The hard thing was risk analysis,” Davis said. “It sounds good in principle, putting it into practice is another matter.”