The proposed Data Accountability and Trust Act (DATA), or H.R. 4127, was approved by a 13-8 vote along partisan lines by a subcommittee of the Energy and Commerce Committee on Nov. 3.
The bill was written by Rep. Cliff Stearns (R-Fla.) chairman of the subcommittee and now goes to the full Energy and Commerce Committee for further consideration.
In broad terms, the proposed law is similar to California's Database Breach Notification Act and similar laws in other states because it requires companies to notify consumers of security lapses involving their private data. It would also require information brokers to inform the U.S. Federal Trade Commission about plans for safeguarding private data and to submit to periodic security audits by the FTC in the event of a breach. The FTC would be responsible for enforcing the new law.
If approved, the measure would override state laws such as the one in California and would serve as a national breach-notification mandate.
While there have been calls for such a national law, the biggest problem with H.R. 4127 is that it requires companies to inform consumers of breaches only if they believe a significant risk of fraud exists, said Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.
That could allow companies to avoid reporting certain breaches of customer data that some state laws currently require them to report, he said.
"I believe that 98 percent of the time companies are not going to disclose breaches" if the law goes into effect, Paller said. "Only 2 percent are going to be good citizens and report breaches" if there is nothing to suggest imminent fraud, he said.
"It will be the absolute decimation of the impact of the California [law]," he said. "This is corporate lobbying at its worst."
What makes it likely that companies will choose not to report some breaches if the bill becomes law is the fact that it is often next to impossible to link cases of identity theft and fraud with a specific security breach, said Christopher Pierson, a lawyer with Lewis and Roca LLP in Phoenix. "By including this language about significant risk, the bill will leave it entirely up to the companies themselves" to decide when to report a breach, Pierson said. In contrast, "California's SB 1386 empowers people to be able to receive information about a breach and do something about it," he said.
There are other ambiguities, too. The bill, as proposed, does not set a time period within which a company must disclose a breach, Pierson said. Moreover, it appears to target only companies that do business across state lines, and it's vague about the obligations of companies that operate within just one state, said Arshad Noor, CEO of StrongAuth Inc., a compliance management firm in Sunnyvale, Calif.
The proposed law specifies that companies must have policies and procedures, but it does not explicitly call for any controls, Noor said. "Does this mean that I can have paper documents that reflect my policy and procedures but not have to do anything about it -- and yet be compliant?" he asked.
As with most legislation, H.R. 4127 has both good and bad elements, said John Pescatore an analyst at Gartner Inc. in Stamford, Conn. For example, strengthening the FTC's enforcement capabilities is a good thing, he said. So, too, is a provision that exempts companies from reporting breaches if they have encrypted sensitive data, he said.
The proposed law is also very explicit about the consumer notification process and what information must be disclosed, Pierson said.
Raising the bar for disclosure is not automatically a bad thing, Pescatore said. "There does need to be some kind of balance about disclosure." He said existing laws have resulted in a kind of "disclosure overload," with companies being forced to publicize every security incident involving customer data, even though in 99 percent of the cases no fraud results from the incident.
"A lot of today's disclosures have simply gotten ridiculous," he said.
Stearns did not immediately respond to a request for comment.