New legislation proposed by the White House is attempting to blanket the United States with a standard set of data breach notification rules and experts say the time has never been better for the proposed data breach notification law
Right now, with each state deciding how notification should occur, it’s a huge burden on enterprises to actually comply with all the different state laws.
Pete Lindstrom, research director, Spire Security
The Obama administration is seeking to standardize the amount of time companies can wait before informing consumers of a data breach involving consumer data. At the same time, the White House issued a document outlining its International Strategy for Cyberspace (PDF), which outlines a roadmap in how the federal government would help secure distributed networks, protect intellectual property and build disaster response plans.
The new data security legislation sent to Congress follows a string of high-profile data breaches. It would require companies to notify potential victims “without unreasonable delay.” Other requirements include the notification of a major media outlet and all major credit-reporting agencies within 60 days if the credit card data on more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security strategy comes just two years after President Barack Obama’s Strategic Cyber security Review, which outlined cybersecurity and made it paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data breaches that have drawn the concern of Congress,” said Eric Rosenbach, principal and lead of the Global Cybersecurity Consulting Practice at Good Harbor Consulting. “You see now, within the last two or three years, that there has been a number of high-profile attacks that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous piece of legislation that would benefit the private sector and protect consumers, thus creating one consistent federal standard for data breech notification. A unified federal law will help “push forward the new momentum of cloud computing,” by creating one set of rules that large corporations have to deal with instead of several, Rosenbach said.
Rosenbach believes that while this proposal is important, it will not make it through the legislative process unchanged, especially coming from a democratic White House through a republican House of Representatives.
Other experts agreed that the timing is right for federal cybersecurity legislation. Different rules and regulations set up by states have been costly for enterprises, said Pete Lindstrom, a research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for notification, I think it’s generally a good thing,” Lindstrom said. “Right now, with each state deciding how notification should occur, it’s a huge burden on enterprises to actually comply with all the different state laws.”
Lindstrom said privacy advocates will be watching the bill closely, but legislators are keenly aware of ongoing sensitivity over privacy issues.
“States are going to dislike it because it usurps some of their authority, but generally the House and the Senate are going to like it because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at Gartner Inc., see the law as “pretty innocuous” and do not anticipate much of a fight on Capitol Hill. Since companies already have to comply with state disclosure laws they have little reason to fight a bill seeking to make their legal maneuverings easier; however, Litan is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it is one of the better things they’ve done in cybersecurity, and I’m not usually very generous with them. I’ve got lots of other criticisms of the Obama administration, but I think this law is actually a good proposal.”
The unified federal law will be especially helpful to smaller businesses, preventing them from having to deal with expensive and specialized lawyers, especially if the businesses operate in multiple states, said Good Harbor’s Rosenbach. This is because larger companies often have the resources to deal with multiple and varying state laws while smaller businesses do not, which could be an impediment to competitiveness.
“The private sector, above all else when it comes to cybersecurity, wants something that is stable and easy to understand because then it’s easy for them to plan for future investment and they have a more stable kind of operating environment,” Rosenbach said.