The Weakest Link: Feds Fail with Cyber Security Proposal

Bills seeking to regulate data privacy and security failed to make it past go in the Senate in 2005, 2007 and 2009. The 2009 version was released by the Senate Judiciary Committee, but was hammered by industry opposition and died before ever getting to a vote in the full Senate. A new bill, introduced by Sen. Patrick Leahy (D-VT), co-sponsored by Charles Schumer (D-NY) and Ben Cardin (D-MD), would criminalize the failure to disclose breaches.

Various pieces of legislation have failed in the House as well. Rep. Mary Bono Mack (D-CA) has introduced her own data protection and notification bill which would force companies to go public with the details of a breach within 48 hours of its discovery. (Read more about these bills in American Banker’s Bank Technology News.)

But, as I alluded to above, the Obama Administration’s newly proposed cyber security and breach notification standards have been getting the most attention of late. Sadly, in many ways their proposal is a step backwards, not forwards, when it comes to disclosure. While the data security provisions in Obama’s bill are more stringent than before, the disclosure provisions are problematic. First of all, for the most part they preempt state laws, which are often more stringent than this federal law.

According to a White House press release, “The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.”

Privacy advocates share my concerns. They have expressed worry that “helping business” here prevents states from enforcing tougher existing laws and might prevent them from enacting more stringent measures in the future if the federal law proves inadequate.

In a recent column that outlines the various problems with Obama’s proposal, Identity Theft 911 Chief Privacy Officer Eduard Goodman writes, “The statute weakens different state laws in an effort to provide a uniform solution to data breach notification policy. Chalk this up to another win for big business and another hit to the consumer.”

In his most recent story on the subject, Credit.com reporter Chris Maag further points out that, “some security experts have criticized this part of the proposed legislation, saying it is significantly weaker than breach notification laws in many states because of its limited definition of personally identifiable information, and the fact that it doesn’t apply to paper documents.” Maag called the White House looking for an explanation, but sadly they dodged him.

Plain and simple, though their hearts may well be in the right place, it seems that neither the Administration nor Washington’s political elite seem to fully grasp the magnitude of the issue and even if they did, they are unwittingly enabling the bad guys by weakening the rules of disclosure. I can understand why the administration wants to consolidate these rules, but a Federal law mandating notification should be either more aggressive than state statutes or represent the floor, not the ceiling, when it comes to toughness. Furthermore, despite the weaknesses with regard to notification, I support many of the provisions in the administration’s bill with regard to security standards. I’ll take a closer look at those in a future column, but in the meantime, I’m worried that all the hemming and hawing in D.C. serves only to extend the window of opportunity for those targeting our personal information.

Feds Fail with Cyber Security Proposal (cont.) »