This is page 2 of:

U.S. Senate’s Data Breach Bill Full Of Flawed Assumptions

July 26th, 2009

The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless. Unless they have a picture of a suspect that they want identified or located—a highly unlikely situation with a major data breach—law enforcement (especially at the federal level) would always rather keep information quiet. So without listing specific requirements for such a finding, it’s an amazingly low bar.

Although the bill “prohibits federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition,” it doesn’t provide a presumption of disclosure, nor specifics for the Secret Service to rely on. In other words, if the agents would rather the suspects to know as little as possible about what they know, there’s nothing in this law to require retail disclosure.

Here’s another interesting exemption: “Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised.”

That’s interesting because the bill—again—offers no specifics to help someone make that determination. What constitutes significant? Executives involved in several recent major breaches—including Heartland—have argued, for various reasons, that their customers are not really at risk. Who is conducting that assessment? If it’s being done by the retailer itself—or by an assessor being paid by the retailer—I think we can make a pretty good guess that it will be a rare breach where the chain will find a significant risk of harm to its customers. The government is trusting the breach victims—with PR departments and lawyers trying to fend off class action lawsuits—to make that determination? Perhaps if it gave that job to the Secret Service, along with specific criteria to determine what the Senate means by significant, then maybe that provision could work.

That section also gives us this well-intentioned gem: “A rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm.”

Wait a second. Are they actually saying that if the chain used some element of encryption, it’s exempt? What if the chain has a reason to believe that the cyber thieves had cracked their encryption? What if—as actually happened with TJX—the bad guys also stole the encryption key, making the encryption of no value?

More importantly, even if the chain had no reason to believe either the key had been intercepted or the encryption had been cracked, there’s still the fine chance that the bad guys could crack the encryption later. Having a blanket statement that says, in effect, “If you use encryption, no need to disclose anything. We’re all fine here” is ludicrous.

One other part of the bill—Section 312(c)—has an even more vague exemption from the notice requirement “if a business entity has a program to block the fraudulent use of information — such as credit card numbers — to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption.”

So if a chain has any program that is supposed to block the fraudulent use of credit card numbers, they’re off the hook for reporting breaches? OK, I’ll ask: With all of these broad exemptions, what major retailers does this possibly leave that still would be required by this bill to do anything?

It would be easy to dismiss this bill if it were the work of some freshman congressman out there, with no experience and almost no staff. But this is the work of a veteran Senator, who is the chairman of one of the Senate’s most powerful committees. Even worse, this bill has been introduced twice before, giving his staff plenty of time to learn all of its holes the hard way.

The U.S. Senate needs to get involved, establish one federal standard for data breach procedures and put some serious teeth into it. That bill is needed. This bill, however, seems designed to get headlines from reporters who don’t read the actual legislation and to make it sound like it’s going to change something. A bill is definitely needed, but this one—in its present form—isn’t it.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.