Since it’s a discussion draft, let’s discuss! Actually, I think this could be a good bill to eliminate a lot of the confusion about how individual states are treating data breach notifications.
From the press release:
“A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed. The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. Non-profit organizations such as universities and charities would be required to comply with the legislation.”
This bill differs slightly from others recently introduced in that it requires companies to implement “reasonable security procedures”. After having arguments for years about whether it is reasonable to require users to change their passwords…at all…I wonder who determines what reasonable means. Should we let consumers determine how much security they want or need? I think users did that to some extent by leaving MySpace for Facebook because of the perceived insecurity of MySpace. But in that scenario, users had a choice with a perceived difference.
One of the best aspects of the document is that it creates requirements for the contents of a breach notification, which would go a long way to having some kind of standard for these letters. There are five requirements:
- Description of the PII breached
- A Toll free telephone number for victims to call
- Credit monitoring services for 2 years. (I think this is great, but I would bet money that through negotiations it will be reduced to 1 year if a bill ever gets passed.)
- Toll free numbers for credit reporting agencies
- Toll free number or website info for the FTC
I like that the bill provides for email notification if that is the main method of contact between the business and the individual. I also like that there is an alternative method of contact should it be a small group or contact info isn’t sufficient.
I like that there is a safe harbor provision for encryption similar to HIPAA.
What I’m not so sure about – the “Data Security Requirements”. Yes you need a security policy and an Information Security Officer. The rest of the requirements seem too vague to me. My take on this is that they expect any administrative guidelines set up by the FTC to address this. I also get the need to be flexible for different sized businesses and different industries. I think to have successful security legislation (meaning actually make the country’s infrastructure more secure) we need a standard like PCI which spells out the requirements. Instead, what the bill leaves us with is a requirement for security processes for identifying vulnerabilities, data retention, data disposal and minimization. What this does is set the companies to be judged in court by their own policies when something goes wrong. And I suspect things will go wrong without firmer requirements.
One thing that is missing from all of these data privacy laws is that they don’t list anything about requiring passwords to be changed. If Google, Facebook, Yahoo, and Hotmail all regularly required users to change their passwords (even if only once per year) the chances of an exposed account and password compromising a host of other accounts would be reduced. Users who use the same password for their credit card site as they do for their Twitter account would eventually be forced to use different ones…oh happy day.
What about requiring two factor authentication? By and large, banks have started asking challenge questions as the regular part of the logon process. Why not extend this beyond the financial industry?
The real question is, should we try and force users actions to change through corporate regulations or change the habits of hackers through penalties? I would argue that the former would have a much greater impact than the latter.