After facing down widespread data breaches throughout the retail sector, we all knew it was only a matter of time before legislation arrived. Whether that legislation will provide boon or boondoggle only time will tell, but there is good cause to be hopeful.
The most recent iteration of Washington’s solution for all things malware is a resurrection of the Data Security and Breach Notification Act, a bill that’s been sitting in limbo since June of last year. With all that’s happened in the last two months, Congress has dusted it off and decided to take another look.
The core of the bill revolves around two mandates: applying universal requirements for businesses to notify customers that their data has been compromised, and laying out new guidelines on minimum data security requirements for companies that collect, store, or build transactions around sensitive customer information.
The first portion of the SBN Act, universal requirements on notifying customers when their personal data has been compromised, is a move in the right direction. At present, there are no hard and fast rules that dictate to companies when (or sometimes even if) customers need to be notified in the wake of a data breach. It should be noted that larger corporations are often actually more likely to notify customers of a breach, simply because holding back such information can lead to a significant backlash in customer loyalty when the details finally do come out.
Smaller companies, and companies in the financial sector, are more likely to sit on a data breach and wait for an opportune moment to release the details to the public. This is good for the company, but bad for the individual – getting hit by an identity thief with no warning whatsoever can be catastrophic. For this reason alone, establishing firm rules on notification is a good thing.
Where the bill gets murky, however, is in establishing minimum levels of corporate security going forward. The Target breach is a galvanizing event that’s brought players from both the public and private sectors together to search for a workable way to protect our increasingly vulnerable tech sector, but the SBN Act throws all responsibility for establishing the new security guidelines at the feet of the FTC.
Sure, tasking the FTC with final oversight on security guidelines makes sense – the FTC already handles consumer protections on a wide range of issues. But this particular law is protecting both consumers and the businesses who sell to them. As such, there should be some level of input from the private sector on what kinds of minimum standards should be applied, what kind of time frame it will take to implement these changes, and what kinds of fines or reprimands will be levied against business that do not comply with these new rules.
The SBN Act is a tremendous opportunity for both lawmakers and leaders in the business community to step forward and assuage the fears of a nervous public, which would do much to rejuvenate our economy. Data security is a singular issue that transcends party lines, largely because effective data protection provides a universal benefit, not just a benefit to one party or the other.
As it stands, the SBN Act could be a landmark piece of legislation that earnestly improves our national data infrastructure, or it could be a dismal failure doomed to the dustbin of history. If lawmakers on both sides can come together – and if the private sector can get a word in sideways – it may well be the most important bill Congress passes this year.
-- Jubal McMillan, Editor
More Information:
http://thehill.com/blogs/hillicon-valley/technology/197161-lawmakers-mull-data-security-legislation
http://politicalnews.me/?id=26934&keys=DATA-BREACHES-LEGISLATION-PENALTIES