On Monday, YahooTech published former Washington Post columnist Rob Pegoraro’s update on the public discussion on what he referred to as weak data breach laws, which “leave us all in a compromised position.” With a view on recent large-scale security breaches, including the Holiday Season hack that stole personal information of 70 to 110 million Target customers, Pegoraro took stock of the regulations in place.
His conclusion stated that, after the Cyber Intelligence Sharing and Protection Act (CISPA) did not make it through Senate, federal laws requiring and standardizing corporate responses after data breaches are still missing. As “Washington has outsourced this work to the states[,]” companies may have to apply the most stringent of as much as 46 different laws, depending on where its operations are located.
Moreover, so Pegoraro, the Federal Trade Commission (FTC), responsible for policing data security, is challenged in its authority to investigate companies after security breaches following deceptive or unfair practices that lead to compromises. Wyndham Hotels, subject to an FTC investigation, has brought the case before the United States District Court for the District of New Jersey.
Putting the result of lacking legislation and a challenged enforcement mechanism in a nutshell, Pegoraro quoted his former colleague and security go-to-guy Brian Krebs:
It’s a month out from the [Target] breach, and we still don’t have official details on what happened. That’s inexcusable in my mind, and very short-sighted.
Addressing exactly this deficiency, Congress is currently dealing with proposals, including the following three bills, which would all preempt the currently applying state laws and set a national standard:
- Sen. Patrick Leahy’s (D-Vt.) Personal Data Privacy and Security Act of 2014 (PDPSA)
- Sens. Roy Blunt’s (R-Mo.) and Thomas Carper’s (D-De.) Data Security Act of 2014 (DSA)
- Sens. Pat Toomey’s (R-Pa.), Angus King’s (I-Maine), and John Thune’s (R-S.D.) Data Security and Breach Notification Act of 2013 (DSBNA)
While each bill provides rather similar notification requirements (both of federal authorities and affected individuals/consumers), PDPSA and DSBNA set themselves apart from the DSA, as they would explicitly penalize the intentional/willful concealment of security breaches.
1 Pingback