Leahy is sponsoring a leading data breach bill, which would set criminal penalties for those who fail to disclose breaches.
Lawmakers have generally received positive feedback from industry about notification — although the retail sector has expressed some reluctance — but many in the private sector feel that additional regulations would be unnecessarily restrictive and could actually harm data security if they set baselines that are too low or standards that don’t adapt to the steady flow of new threats.
“I really think the industry needs to do a better job in how it protects its information,” said Randy Vanderhoof, president of the Smart Card Alliance, a business group advocating for smart card technology.
Data security challenges include being able to spot illegitimate users on networks and better encrypting information to minimize the damages from breaches, Vanderhoof said, but those are all better left to the private sector. Even Warner’s suggestion about standardizing fraud protections for debit and credit cards would be an area where companies are in a better position to take action based on their knowledge of technology and the risks that consumers are willing to bear, he said.
“They’re certainly issues that I think industry is in the best position to solve,” he said.
Renewed Push for Change
Congress has been debating a federal notification standard for years, but the issue came back into focus in recent months, as lawmakers probed Target and Neiman Marcus executives for information about when and how the companies told customers about the attacks. The administration used the opportunity to renew its calls for a notification law, saying such a requirement would aid law enforcement in pursuing cyber-criminals.
“These crimes are becoming all too common,” Attorney General Eric H. Holder Jr. said in a video address. “And they have the potential to impact millions of Americans every year.”
Holder said a suitable standard would contain exceptions for harmless breaches, to protect businesses from undue harm, and penalties for companies that fail to make disclosures.
Although there is still a sharp partisan divide over data breach regulation — particularly the notion of giving the government more power to punish companies that don’t adequately protect information, a notion Republicans oppose — fewer members are willing to publicly oppose a notification requirement.
After the House held hearings on the Target and Neiman Marcus breaches, “there seemed to be agreement that one standard for disclosure would be good,” Graham Dufault, counsel to Lee Terry, R-Neb., chairman of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade, said at a recent conference.
Senate Judiciary Chairman Patrick J. Leahy, D-Vt., is sponsoring a leading data breach bill (S 1879), which would set criminal penalties for those who fail to disclose breaches. The panel’s ranking Republican, Charles E. Grassley of Iowa, says he’s willing to move forward on the issue, with the caveat that legislation should take pains to avoid requiring unnecessary disclosures.
“Just as there’s a potential for harm when a victim isn’t notified of a breach, overnotification can lead to harm and apathy,” he said during a February hearing.
Agreement doesn’t always equal action, though, and there are still plenty of issues that could kill breach notification this session. Debates over what constitutes “personally identifiable information” that would require notification if accessed by an attacker has bogged down debate in the past.