This is page 2 of:
As Federal Data Breach Bill Goes To The Full U.S. Senate, NRF Warns Of “Notice Fatigue.” Not To Worry: This Bill’s Many Loopholes Won’t Require Retail Chains To Do Much Anyway
The bill allows for delays for any “time necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment and restore the reasonable integrity of the system,” among other things. Is that all? As evidenced by recent major breaches—quite legitimately, by the way—those conditions could easily extend to the end of time itself. How long does it take to completely determine the scope of a breach where security logs are manipulated by the intruders? How long will it take to absolutely prevent any further disclosures? How about that “restore the reasonable integrity” part?
The bill, though, tried to set an upper limit of 90 days, but with sufficient law enforcement exceptions to allow it to extend far beyond that.
“If the United States Secret Service or the Federal Bureau of Investigation determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the agency or business entity that experienced the breach. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify in writing the period of delay requested for law enforcement or national security purposes.”
In general, the bill wants 30-day delays, but it gives no limit if law enforcement decides on its own that “further delay is necessary.” Notification also wouldn’t apply if the Secret Service or the FBI “determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations.”
It’s important to remember that, in general, law enforcement is focused primarily (if not exclusively) on catching the bad guys and preventing them from doing this to others. The preventing is generally done by the catching. Law enforcement would always prefer to keep things quiet for as long as possible, to try and capture the bad guy and to learn as much as possible before the bad guy discovers his attack has been discovered.
The bill does require businesses to tighten up security, but the type of data it’s trying to protect is overwhelmingly only at issue with retailers that take credit and/or debit cards. Most cash-only (or cash- and check-only) businesses retain very little personal data. And credit-card-accepting retailers already have to do everything the bill specifies as part of PCI compliance, so it’s really unlikely to have any impact there. The bill, however, does do some meaningful things to dilute prosecutions of data breaches, which is presumably the opposite of its goal.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
