Log in

Site menu:



Site search

August 2020



National Breach Notification Laws

As a follow-up to a post from February 2009, I’m mostly happy to comment on the recent progress that’s been made toward the establishment of National breach notification laws. As reported on November 5, 2009 by, “the Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.”

The first, S.139 “Data Breach Notification Act”, is a short and fairly high-level bill “to require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.” Strangely, while a bill titled “Data Breach Notification Act” would seem to be a generalized proposal for full disclosure and transparency in the event of a data breach, rather than a specific protect individuals against identity-theft measure, S.139 focuses almost neurotically on personally identifiable information. The Definitions section reasonably describes “Sensitive Personally Identifiable Information” (PII) as the usual set of some combination of name, social security #, passport #, address, birth date, biometric data, or account information. Puzzlingly, however, it perfunctorily defines “Security Breach” as:

(A) IN GENERAL- The term “˜security breach’ means compromise of the security, confidentiality, or integrity of computerized data through misrepresentation or actions that result in, or there is a reasonable basis to conclude has resulted in, acquisition of or access to sensitive personally identifiable information that is unauthorized or in excess of authorization.

The second, S.1490 “Personal Data Privacy and Security Act of 2009” is a toothier and far more detailed proposal “to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” Title I introduces penalties both for the perpetration of identity-theft crimes, and also for the intentional concealment of data breaches. Title II sets transparency requirements and enforcement for data brokers. Title III and its subtitles define the requirements and enforcements for a Personal Data Privacy and Security Program and security breach notifications, and establishes within the FTC the Office of Federal Identity Protection to help victims of identity theft. Finally, Title IV sets compliance standards for awarding contracts to data brokers, requires Federal agencies to complete privacy impact assessments before obtaining from data brokers any PII on US citizens, and amends the duties and responsibilities of the Chief Privacy Officer, reporting to the Deputy Attorney General.

Why the mixed feelings? The good: These bills offer a single national standard rather than a mélange (or sometimes completely nonexistent) state data breach laws, they seems to take the stance of “expenses be damned, we’re going to start doing the right things,” and they establish some pretty stiff enforcements and penalties. The bad (this is going to take a bit longer): First, S.139 greatly neuters the potential effectiveness of a national law by limiting itself to a delineated bag containing only personally identifiable information. What about breaches involving such losses as corporate information whose disclosure might be of interest to shareholders, or client-attorney data, or redacted medical records, etc.? Was this confinement really necessary considering the single-minded focus S.1490 has on identity-theft?

Second, the “Exemptions” sections in both S.139 and S.1490 both basically say parties are exempt from the notification requirements if they have encrypted the data or otherwise rendered the data indecipherable. Makes perfect sense given that we also accept that encryption is unbreakable, and that the ultimate utility of stolen data is something that can be assessed prior to the occurrence of a data breach.

Third, and most importantly, the surprisingly prescriptive Section 302 of S.1490 does well enough with some conventionally safe and wise words about risk assessment, training, vulnerability testing, the iterative nature of security, and a nod to the great and powerful cloud, but it falls short in the area of risk management and control. Section 302 4B basically says “control access”, “detect breaches”, “protect data at rest, in use, and in transit”, “employ data destruction”, “trace access to records”, and “ensure access entitlement”.

So what’s the failing? That this is a bill concerned primarily with breach notification–essentially a prescription for what should be done when security controls fail–but its “risk management” section is single-mindedly and conceitedly preventative. Rather than offering guidance for being better able to “determine the scope of a breach,” it basically says “don’t have a breach”. The “trace access to records” entry is the only bit that comes close to forensics, but myopically perpetuates the unfortunate industry fallacy that such information as netflows and access logs are sufficient for this task. When will we acknowledge that flows only show that a communication session took place, not what was communicated, or that logs are good at recording access that goes through conventional channels, but not so good at recording unsanctioned access that was intentionally subversive or exploitative?

Despite the obligatory criticisms, these bills are steps in the right direction. Both are good signs that our political leadership seems to be on the right track in the pursuit of information security.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Reddit
  • Slashdot
  • LinkedIn
  • Facebook
  • email
  • Print

You must be logged in to post a comment.