StorefrontBacktalk

This is page 2 of:

U.S. Senate’s Data Breach Bill Full Of Flawed Assumptions

July 26th, 2009

The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless. Unless they have a picture of a suspect that they want identified or located—a highly unlikely situation with a major data breach—law enforcement (especially at the federal level) would always rather keep information quiet. So without listing specific requirements for such a finding, it’s an amazingly low bar.

Although the bill “prohibits federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition,” it doesn’t provide a presumption of disclosure, nor specifics for the Secret Service to rely on. In other words, if the agents would rather the suspects to know as little as possible about what they know, there’s nothing in this law to require retail disclosure.

Here’s another interesting exemption: “Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised.”

That’s interesting because the bill—again—offers no specifics to help someone make that determination. What constitutes significant? Executives involved in several recent major breaches—including Heartland—have argued, for various reasons, that their customers are not really at risk. Who is conducting that assessment? If it’s being done by the retailer itself—or by an assessor being paid by the retailer—I think we can make a pretty good guess that it will be a rare breach where the chain will find a significant risk of harm to its customers. The government is trusting the breach victims—with PR departments and lawyers trying to fend off class action lawsuits—to make that determination? Perhaps if it gave that job to the Secret Service, along with specific criteria to determine what the Senate means by significant, then maybe that provision could work.

That section also gives us this well-intentioned gem: “A rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm.”

Wait a second. Are they actually saying that if the chain used some element of encryption, it’s exempt? What if the chain has a reason to believe that the cyber thieves had cracked their encryption? What if—as actually happened with TJX—the bad guys also stole the encryption key, making the encryption of no value?

More importantly, even if the chain had no reason to believe either the key had been intercepted or the encryption had been cracked, there’s still the fine chance that the bad guys could crack the encryption later. Having a blanket statement that says, in effect, “If you use encryption, no need to disclose anything. We’re all fine here” is ludicrous.

One other part of the bill—Section 312(c)—has an even more vague exemption from the notice requirement “if a business entity has a program to block the fraudulent use of information — such as credit card numbers — to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption.”

So if a chain has any program that is supposed to block the fraudulent use of credit card numbers, they’re off the hook for reporting breaches? OK, I’ll ask: With all of these broad exemptions, what major retailers does this possibly leave that still would be required by this bill to do anything?

It would be easy to dismiss this bill if it were the work of some freshman congressman out there, with no experience and almost no staff. But this is the work of a veteran Senator, who is the chairman of one of the Senate’s most powerful committees. Even worse, this bill has been introduced twice before, giving his staff plenty of time to learn all of its holes the hard way.

The U.S. Senate needs to get involved, establish one federal standard for data breach procedures and put some serious teeth into it. That bill is needed. This bill, however, seems designed to get headlines from reporters who don’t read the actual legislation and to make it sound like it’s going to change something. A bill is definitely needed, but this one—in its present form—isn’t it.

Posted in IT Strategy/Industry, Payment Systems, Security/Fraud

One Comment | Read U.S. Senate’s Data Breach Bill Full Of Flawed Assumptions

Read the Constitution Says:
August 5th, 2009 at 4:22 pm
In regard to this statement:

“The U.S. Senate needs to get involved, establish one federal standard for data breach procedures and put some serious teeth into it. That bill is needed.”

Is it even worth pointing out any longer that, according to the 10th Amendment of the Constitution, the idea of a federal data breach disclosure law that supersedes the authority of the states is illegal? Never mind the fact that anything approved by the US Senate will be 90% useless and 10% indecipherable.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.