Intersections’ Consumer Security Adviser Neal O’Farrell shares his thoughts on the recent cyber security plan proposed by the White House.
In an effort to stem the seemingly endless flow of data breaches exposing personal information to thieves and other risks, the White House is floating a cyber security plan that includes a new Federal standard for how a breached organization or business should respond. And while almost every state in the nation already has some sort of data breach law, this is the first time that a single, federal law has been proposed.
Here are some of the highlights:
- Under the proposed legislation, a breach would be defined as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.”
- Any organization, for profit or not-for-profit, is covered by the legislation if it collects or stores personal information on more than 10,000 individuals over a 12-month period.
- Any breach discovered must reported to the Federal Trade Commission within 60 days of discovery, but breached organizations can be granted an extra 30 days.
- Healthcare organizations would not be covered because they are already covered by pretty comprehensive data breach legislation.
- Some organizations could be completely off the hook in the event of a data breach. For example if the organization conducted a risk assessment that concluded there would be no harm done to the individuals whose information had been exposed or stolen; or if the information had been protected in such a way, like encryption, that it would be of no use to the thieves.
- Civil penalties would be capped at a very low $1 million.
- Data covered by the legislation includes the obvious, like names, addresses, account numbers, passwords and Social Security numbers, but doesn't seem to include email addresses.
Now while this legislation so far is just a proposal and could be altered, it does seem to be a very weak response to a major security problem.
- Capping civil penalties at $1 million seems too generous to the offending organizations and does not really punish the most egregious of breaches.
- While the legislation requires that a breached organization must notify the credit bureaus, there's no mention of whether they must identify to the bureaus which consumers have been affected and what the bureaus should do. So I assume the bureaus will do nothing.
- Because there's no mention of email addresses as sensitive data, it could mean that some of the biggest data breaches, like the recent Epsilon breach that exposed tens of millions of email addresses, would not be covered by the legislation.
- Up to 90 days to first notify the public seems too long. I understand the need for breached entities to learn as much as possible about the breach but they could easily make a "qualified" early announcement. The legislation should incorporate that.
- There's no free credit monitoring provision, which means that's entirely at the discretion of the breached entity. There's also no education provision and no long term support provisions. We know that many thieves will hang on to data for months after the event, waiting for the fuss and attention to pass. That leaves victims on their own when the thieves finally try to launch their "liquidity event" and cash in the stolen data.
- And I can see all kinds of problems, delays, and even deceit over the ways organizations determine whether the exposed or stolen data can harm victims. Shouldn't victims have a say in that determination?
In summary, I think the White House is obviously seeking to create a clearer and more defined way for breached entities to respond, but so far they seem to be letting these organizations off way too easy. We'll see if they change the mind, or maybe read this blog post.
Note: Read what other security experts say about the proposed Federal data breach policy in this article on BankInfoSecurity.com.