The Time is Now for Breach Legislation

posted by in Cybersecurity June 15, 2011
Jun 15

Data breaches are all over the news these days — Epsilon, Sony, Citi and Lockheed Martin, to name a few of the corporations, along with a number of government agencies and organizations.

One group, the Privacy Rights Clearinghouse, has recorded more than 2,500 breaches since 2005, involving more than 530 million individual records. In many cases, these records include data that are useful to identity thieves, such as Social Security, credit card, and driver’s license numbers.

Surveys find these breaches are causing people to question the security of online transactions. That is especially troubling because we are in the middle of an exciting new wave of innovation with the emergence of cloud computing, which offers tremendous new opportunities for economic growth by promoting greater efficiency and cost savings. We cannot allow breaches to erode confidence in the online world at this important moment for the Internet economy.

For years, BSA and its members have fought to protect data against cybercriminals by investing to reduce vulnerabilities and protect the integrity of the technologies they provide; by developing cutting-edge security solutions for businesses and consumers; and by leading the fight against software piracy — not only because it drains revenues from American companies, but also because illegal software commonly includes malicious computer code that hackers and other criminals use to steal data.

Importantly, BSA members are also at the forefront of the cloud computing revolution — which creates new opportunities to store data behind strong security walls.

But there is an urgent need for Congress to act, too. Those who are responsible for holding data should have a duty to take appropriate security measures, consistent with the sensitivity of the data entrusted to them. And when there is a breach that poses a significant risk of harm, customers and consumers should be notified promptly.

In the absence of a national law, all but a handful of states have already enacted their own data breach notification requirements. Unfortunately, this has created a legal patchwork that is unwieldy for businesses and potentially confusing to consumers. We need a uniform, national framework that protects consumers and preempts this patchwork of state laws.

I testified today before the House Energy and Commerce Committee in a hearing to discuss draft legislation being introduced by Rep. Mary Bono Mack (R-Calif.), Chairman of the Subcommittee on Commerce, Manufacturing, and Trade. I endorsed the bill’s key provisions. In particular:

  • BSA supports requiring organizations that hold sensitive personal information to implement reasonable security procedures. The draft bill takes into account an organization’s size, the scope of its activities, and the costs involved.
  • We support creating incentives to adopt strong security measures. The draft bill will promote the use of technologies such as encryption, which render data unusable, unreadable or indecipherable to thieves if they manage to steal it.
  • We support an approach that avoids unnecessarily alarming or confusing consumers. And the draft bill accomplishes that by only requiring notification when there is a risk of identity theft, fraud or unlawful activity.
  • Finally, BSA supports the bill’s establishment of a uniform, national framework with federal enforcement — preempting today’s patchwork of state laws.

I testified two years ago, too, about the need for a national data breach law. Since then, at least 250 million sensitive records have been breached, according to the Privacy Rights Clearinghouse.

This is now the fourth Congress to consider data breach legislation. I urge Members to pass a federal data breach law this year. The time to act is now. The need is clear, as are the solutions.

Leave a Reply