Comment: Breaching Its Way through Congress – The SAFE Data Act

The SAFE Data Act: genuine consumer protection, or a political fig-leaf?
The SAFE Data Act: genuine consumer protection, or a political fig-leaf?

Despite what seems to be a political deadlock and an election cycle that is already well under way, some folks in Washington are still trying to accomplish something – and potentially for the better. Data breaches ranging from Stuxnet to RSA to PlayStation are familiar to most constituents. This rash of high-level and public data breaches has helped Congress move forward the SAFE Data Act. The proposed bill, or one of at least two alternatives, would establish security and data breach notification standards for organizations that collect private information from consumers.

As of early this fall, the bill was referred to the Subcommittee on Commerce, Manufacturing, and Trade. Before the bill can be passed there are a number of thorny topics that will need to be ironed out. Here are some thoughts on what are likely to be the sticking points that will ultimately determine if this effort genuinely provides consumer protection, or whether it’s just a political fig-leaf:

Uniting the States: If the SAFE Data Act does pass, unifying the various privacy mandates that exist at the state level will be a good thing and should make life easier for organizations that span multiple states. The risk is that the bill ends up being the highest (or worse still, the lowest) common denominator rather than the pick of the best.

Timing is Everything: Notifying consumers as quickly as possible of a breach is obviously important so that they have a chance to take appropriate action. The good news is that it does seem that the act will attempt to define a deadline for disclosure. The question is when does the deadline clock start to tick – from when there is a suspicion of breach, proof of breach or some later point at which there is evidence that stolen data is actually being misused?

‘Exemption’ and ‘Reasonable’ – the Dreaded Caveats: Two words that appear in the act that always leave things a bit nebulous. Some organizations or industries, it seems, might be ‘exempt’ from the act. Also, it appears that organizations might have the final say on whether there is a ‘reasonable’ risk that the data they have lost could be maliciously used. Both of these terms could leave the door too wide open for interpretation, making it hard for consumers to know for sure who they can trust with their data.

What Classes of Data are On and Off the List? It’s interesting to note that the proposed bill currently relates to name, address and phone numbers, but not email addresses, even though the email address is probably the most common identifier that is used online. It also seems a bit half-hearted that the bill only covers data that relates to financial and identity information that could be used for ID theft – not healthcare information, employee records (like salary), criminal records, and so on.

Encryption is a Good Thing: There is a safe harbor in the proposed bill that if the data is protected (for example, it is made unreadable by encryption), then organizations will avoid the need to disclose because the risk of misuse will be extremely small, if not eliminated completely. This means that organizations can be proactive and take steps ahead of an attack to limit potential exposure, essentially buying themselves a ‘get out jail’ card. Unfortunately, like most security technologies, it’s not that simple. Even with encryption there are gray areas between strong and no so strong levels of protection.

Electronic as Well as Physical: The proposed bill seems to include paper-based as well as electronic information. This makes a lot of sense but risks making the standard even harder to define because the threat models, protection mechanisms and opportunities to misuse the stolen information are so different.

The proposed SAFE Data Act does seem like a step in the right direction and will help provide a much needed general standard for security and data breach notification. These are still relatively early days and much could change as the various federal privacy bills morph or merge. However, there are definitely a few questions that the bill in its current form triggers, and the security industry and consumer groups alike will watch eagerly as the act moves forward.

If we have learned one thing, it is certainly that data breaches are not going to stop occurring. But by government and private sectors working together, a national breach notification bill such as this could remove confusion in the market, motivate companies to put the right security measures in place, and give consumers something they can put their trust in.

Richard Moulds is the vice president of product management and strategy for Thales e-Security, where he contributes his well-respected data protection expertise and thought leadership to the information technology security activities of company. Moulds has helped Thales take the lead in redefining the boundaries of encryption management for global enterprises. He holds a bachelor’s degree in electrical engineering from Birmingham University and an MBA from Warwick University, UK.

What’s hot on Infosecurity Magazine?