The difficulties of crafting federal legislation that still has teeth after all parties have been heard is playing out in discussions of the most recent attempt at national data protection and breach notification legislation. First floated at the beginning of the year and hyped by the White House, the Data Security and Breach Notification Act is being heavily criticized for vague definitions, incomplete coverage of parties responsible for handling of consumers’ data, and perhaps most importantly, for negating stronger protections that already exist at the state level in some areas.
The Center for Democracy and Technology’s Alex Bradshaw outlines several of the problems with definitions within the Act. Though these issues may fall by the wayside a bit as bigger questions about who must act and why are tightened, they’ll need to be cleared up in an effective law. Among other points, “breach of security,” “personally identifiable information” and “reasonable security” are inadequately defined.
Initially, the broad outline of the intent of the legislation seemed to indicate that financial information was to be the focus, but critics say that effort ignores the fact that other classes of consumer data are as valuable, or more so, to criminals and hackers and other nosey people. These different types of data are all interconnected now, as well.
Laura Moy, senior policy counsel for New America’s Open Technology Institute, who testified in the House of Representatives on the contents of the Act, explains on Slate how, for example, phone and other communications carrier data about consumers’ usage is not covered by the current language. That data, Moy points out, contains far more sensitive information than your credit card number: Analysis could easily uncover everything from location information, to connections to other individuals, to health care activities, to civil, political and religious affiliations.
At Health Data Management, Greg Slabodkin explains how Federal Trade Commission (FTC) officials are intent on showing the relationship between the lack of inclusion of health data for protection and/or notification and the potential negative consequences to consumers in the event of a breach of that data: financial damage, loss of health treatments and loss of jobs could all result, among other outcomes.
And further complicating both of these issues, FCW.com points out that FTC and Federal Communications Commission (FCC) officials are questioning which rulemaking authorities they would each transfer to the other or share, according to the Act as currently written.
At the state level, Massachusetts’ Attorney General and Assistant Attorney General declared and testified that the bill would significantly reduce consumer data protections that Massachusetts already provides, Washington state is moving forward with votes on strengthened data encryption and notification protections, and Wyoming enacted amendments to state law, adding a broader definition of personally identifiable information and requiring entities to give consumers more information when notifying them of a breach.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+