[ISN] How Broad a Data Breach Disclosure Law?

InfoSec News isn at c4i.org
Fri May 6 09:18:01 EDT 2005


By Roy Mark 
May 5, 2005 

WASHINGTON -- And now for the hard part: just how would a national
data breach disclosure law work?

With bills now in the House and the Senate that would force data
brokers and financial institutions to inform consumers of a breach,
Congress is looking at the nitty-gritty details of the legislation.

"One of my concerns, given the dramatic rise in recent reports on data
braches, is there will be a headlong rush for notification in every
instance," House Financial Services Committee Chairman Michael Oxley
(R-Ohio) said at a Capitol Hill hearing.

The problem, Oxley suggested, is overkill.

"When no evidence surfaces to indicate their information has been
misused, consumers may begin to ignore those notices as just that many
more pieces of unsolicited junk mail," he said.

According to Oxley, only a small percentage of the highly publicized
cases of data breaches have actually resulted in any fraudulent

For example, Bank of America recently revealed that data backup tapes
containing more than a million records were lost during transport to a
backup data center. A total of 15 tapes were shipped to the data
center with five disappearing. Two of the lost tapes included customer
information while the other three tapes held non-sensitive, backup

"As to the tapes themselves, sophisticated equipment, software and
operator expertise are all required to access the information," said
Barbara Desoer of Bank of America. "In addition, specific knowledge of
the manner in which the data is stored, that is, the fragmented nature
of the data and the steps required to reassemble it would be

Desoer said the Secret Service has informed Bank of America that no
evidence exists to indicate the tapes were wrongfully accessed or
their content compromised.

Nevertheless, Desoer said, Bank of America supports a national
disclosure law.

"Our recent actions demonstrate our belief that customers have a right
to know when there is reason to believe that their information may
have been compromised," she said.

Data broker ChoicePoint, which has also suffered embarrassing data
breaches, also threw its support to a national law.

"We support a pre-emptive national law that would provide for
notification to consumers and a single law enforcement point of
contact when personally identifiable information has fallen into
inappropriate hands," Don McGuffy, a ChoicePoint senior vice
president, said.

The breach disclosure bills in the House and Senate are based on
California's new legislation, which requires a business or government
agency to notify an individual in writing or by e-mail when it is
believed that unencrypted personal information has been compromised.

Sen. Diane Feinstein's bill goes beyond the California law to include
encrypted data and allows individuals to put a seven-year fraud alert
on their credit report. The legislation proposes a $1,000 per
individual civil fine for failure to notify or not more than $50,000
per day while the failure to notify continues.

More information about the ISN mailing list