ITAA backs breach notification law
- By Michael Arnone
- Sep 21, 2005
Congress should pass a law that outlines when government and the private sector must notify the public about cybersecurity breaches that compromise confidential information, an information technology industry group said today.
The theft of millions of personal records from ChoicePoint and other companies has made breach notification “the most pressing cybersecurity issue on the minds of Congress right now,” said Greg Garcia, vice president of information security programs and policy at the IT Association of America.
Congress is more likely to pass a breach notification law than any other cybersecurity-related bill this term, Garcia said.
House and Senate committees are jockeying for jurisdiction over a number of bills still under consultation, Garcia said. Only one bill, introduced by Sen. Dianne Feinstein (D-Calif.), has been submitted, Garcia said.
As of August, 17 state bills have been passed into law, and eight of them have taken effect, Garcia said.
The ITAA supports a national standard for breach notification with rational guidelines of when to notify the public, Garcia said.
The law should establish a clear definition of breaches, specify means and methods of notification and identify information to publish, Garcia said. It should also describe exceptions when information cannot be given, such as in national security matters.
The law should assure the risks of not complying outweigh the costs of compliance and pre-empt state laws that might remove the teeth from notification requirements, he said.
Another question is whether notification is necessary for every breach or only when one causes harm. The increasing number of cyberthefts and unclear standards could lead to a cry wolf situation in which organizations responsible for protecting the public’s personal information don’t notify affected customers when they ought to, Garcia said.
For example, Feinstein’s bill would require notification even if encrypted data is stolen, Garcia said. Encrypted data is generally useless to thieves unless they can access the decryption codes, he said.
In addition to requiring notification, Congress should require public- and private-sector custodians of information to employ widely recognized industry security standards to protect networks from unauthorized access, including encryption, Garcia said.
The breach notification law is part of a six-point strategy ITAA has developed to fight data breaches. The other elements are:
• Creating a national law enforcement strategy that strengthens prosecution and penalties for identity thieves.
• Enhancing cooperation between industry and law enforcement organizations.
• Providing additional resources to federal, state and local law enforcement to fight identity thieves.
• Speeding development and adoption of new anti-theft tools.
• Coordinating all industry sectors to adopt joint anti-theft best practices.