Are skeptics on federal data breach law missing the point?

As noted in this space last week, based on recent activity in the Senate and similar if less immediate legislative proposals in the House of Representatives, it seems possible that Congress will move ahead with enactment of a federal-level data breach disclosure law. Given the patchwork of state-level and domain-specific laws that already exist, there is clearly potential to standardize and perhaps simplify the data breach picture, at least with a minimum threshold, that might in turn translate into the use of more proactive data protection practices and technologies by organization subject to such regulations. In a countering view, CSO magazine conducted its own informal survey as to whether a federal cybersecurity law was the right approach, and saw responses heavily leaning to an answer of “no.” Before extending this sentiment to the current efforts on national data breach disclosure standards, however, it would be a good idea to distinguish just how much “cybersecurity” is really in the proposed legislation.

The responses highlighted by CSO show a lot of skepticism about the government’s ability to legislate anything that results in better security for those subject to the laws. Without debating the merits of these arguments (there surely are some merits), it might be useful for the survey respondents to remember that the proposed laws aren’t primarily intended to increase the level of security measures organizations apply to data and systems to reduce breaches, but instead to require that when breaches occur, those affected by the breaches must be told. Hopefully such a law will provide an incentive to organizations to take steps to avoid breaches, but aside from granting exceptions in cases where lost data has been rendered unusable through encryption or comparable mechanisms, the Congressional bills don’t even attempt to mandate any particular security practice or use of technology. The provisions in Leahy’s S. 1490 that increase the penalties for identity theft logically can only be seen as an additional disincentive to behavior already prohibited by current law. The absence of technical specificity is a standard feature of security laws, as Congress (quite rightly) doesn’t believe it has the expertise to specify technical mechanisms and certainly doesn’t want to be in the business of promoting one technology over another.

We read the proposed legislation in the context of greater transparency sought by the current administration on many fronts. Requiring data breach disclosures is a way to make data-holding organizations accountable for their security lapses, and according to the sponsors of the bill is driven largely by concerns over consumer protection issues, rather than a desire to augment data stewardship requirements or strengthen data protection practices. Those who argue that the security realm doesn’t need more enforcement mechanisms are presumably working under an assumption that commercial and public sector entities can be trusted to do the right thing, with the very sort of trust model that has defined approaches to complying with FISMA, HIPAA, FERPA, and other major security and privacy laws. These assumptions have more serious implications for organizational security postures than do the prospect of federal-level laws addressing data security and privacy.