Obama's proposed data breach notification law bodes well for businesses

Jan. 16, 2015
Expert says more needs to be done to help organizations improve their cybersecurity posture

Earlier this week, President Barack Obama said he wants Congress to pass legislation that would create a new federal standard for data breach notification. Under the Personal Data Notification and Protection Act, companies would be required to inform customers within 30 days if their personal information had been compromised as the result of a breach. Rather than having to navigate various state laws, the president said this new legislation would create a single standard for organizations to follow.

While the president’s announcement should come as little surprise to most companies given the amount of attention that large-scale data breaches, such as the recent hack of Sony Pictures, have garnered over the past several years, some believe that this newly proposed law would actually be of greater benefit to businesses than consumers.

“There are 47 different state data breach notification pieces of legislation and that’s a problem for organizations because if they operate in more than one state – and many companies do – they end up having to pick one and sort of make that their common denominator. It would be a lot more efficient for businesses and organizations all around if there was just a single federal standard that we could all comply with,” said Dave Frymier, CISO at IT services provider Unisys. “If you look at these different pieces of legislation, they define a breach differently and the safe harbor provisions for encryption and the definitions of encryption are different from one law to the next, so if this was all standardized across the states, it would be a benefit to all of the organizations that are trying to comply with these 47 patchwork breach notification laws.”

Two years ago, the president signed an executive order that directed the National Institute of Standards and Technology (NIST) to create a cybersecurity framework for organizations involved in operating the nation’s critical infrastructure assets. According to Frymier, this framework provides a set of 98 control objectives that companies in this sector can use to determine how their level of information security compares to what is considered to be minimally accepted standards for cybersecurity. Frymier said creating a similar framework for businesses across the board would be a better approach than just simply passing a law that stipulates the requirements for data breach notification.

“If you can do that across an industry, then you could average or do some other sort of statistical function to say, ‘ok, here is a baseline of adequate security in the electrical power, water, transportation or financial services industry.’ That sort of baseline definition would be useful for companies so that they would know what the minimum amount of security their organization should be expected to have,” explained Frymier. “And, quite frankly, that’s a lot more useful than even a consolidated federal breach notification law. I would much rather see Congress come out with something along the lines of the executive order from February 2013 than a breach notification statute.”

If Congress doesn’t do that, Frymier said the next best thing may be case law that’s established in the aftermath of some of class action lawsuits still pending against Target and other organizations that have suffered high-profile breaches. While the president’s proposed initiatives may not lay the groundwork for comprehensive cybersecurity reform, many people like Frymier believe that it is a step in the right direction.

"The president and his team should be commended in continuing to show leadership on important issues of privacy and data security. There has been consensus and a call from many in the business community several years running for data breach legislation. This may finally be the year if the bill can avoid being bogged down with data use limitations and questions surrounding what entity is responsible for payment of breaches. The payment issue is best left to the marketplace or in a separate proposal, as ultimately it is not a consumer protection issue, but rather a commercial issue,” Stuart Ingis, a partner at the law firm of Venable LLP and co-author of “Privacy Protection in the United States: A Survey,” said in a statement this week.

“With respect to the Privacy Bill of Rights, businesses will await the details to pass judgment on the particulars of any proposal. If it looks similar to the provisions pushed by the administration in then Senator Kerry's comprehensive privacy bill from a previous Congress, it is unlikely to garner much support on the Hill. Then Senator Kerry's Bill did not garner much support from either party. That Bill was criticized for its European-like omnibus approach and breadth of discretion it would have given the FTC to endorse codes or rules,” continued Ingis. “Legislators are very reluctant to impose regulation on the innovative use of information in the internet era that is driving the economic turnaround. I expect the Republican-led Congress would be more likely to limit rules or enforcement action that would impede America's leadership in the information age."

As the president’s previous executive order made the Department of Homeland Security the de facto IT security department for the federal government and critical infrastructure, Frymier said any cybersecurity legislation crafted by lawmakers needs to define what entity will perform that same role for the private sector when it comes to information sharing. Additionally, Frymier said that there needs to be some built-in liability relief so companies won’t be leery of sharing information.    

“There is nobody looking after us in the aggregate. There is no central location in the United States for (cybersecurity) reports to go to because companies are afraid to share that information because it may indicate some weakness in their security posture and leave them open to shareholder or customer lawsuits claiming that their security is inadequate,” said Frymier.

Although this proposed law and the standardization of procedures it would create could greatly aid companies that have been hacked and are trying to figure out what their notification obligations are, Frymier said it would do little to help customers protect their information.      

“I think the consumer and the general public has a fatigue to these notifications,” explained Frymier. “Just about everybody has had a card replaced at this point and they get these letters in the mail telling them these things have happened. I don’t think their behavior has been altered much, if any, but the real benefits for the credit card industry is going to come from having a chip on the card and updating all of the various pieces of equipment that are today associated with reading a magstripe.”

Despite the efforts any business to implement the best cybersecurity technology and policies at their organizations, Frymier said there are more complex issues that make complete protection against data breaches a virtual impossibility.

“There are three reasons why the hackers are winning,” explained Frymier. “The first is that there are flaws in the underlying design of the IP protocol which is what drives the internet. The major flaw there is that is allows for anonymity and the spoofing of addresses and that’s not something that is going to be solved anytime soon. The second problem is that the world has standardized on Microsoft Windows as an operating system, Microsoft Office as the office productivity suite and several other pieces of software from several other companies that everybody uses. Standardization is good thing for productivity, but it is a horrible thing for security because once the bad guys find the vulnerability in that software, they literally have hundreds of millions of targets to exploit. The third problem is the whole issue of software quality in general. We just haven’t figured out how to write software that is bug free and we can do it, but people don’t want to take the time or spend the money, so we end up with buggy software. It is going to be awhile before these things get addressed and these breaches and hacks are going to go on for the foreseeable future.”  

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.