DATA SECURITY & BREACH NOTIFICATION: PROTECTING CONSUMERS & CREATING A NATIONAL STANDARD
Issue: The United States needs a national standard for consumer data protection and breach notice requirements.
CSIA strongly urges Congress to pass a federal law requiring business and government to (1) establish and maintain a data privacy and security program to ensure the confidentiality and integrity of personal information, and (2) establish uniform notification requirements when a security breach presents a risk of harm to consumers. While some 40 states have varying requirements that cover data security and breach notification, the vast majority of these laws only address the problem after personal data has been compromised.
Why Congress must act:
- Identity Theft Tops FTC List of U.S. Consumers Complaints: The increasing number of data breaches is a major threat to privacy, consumers' identities and our nation's economic stability. Databases of sensitive personal information are prime targets of hackers, identity thieves and rogue employees as well as organized criminal operations. According to the Better Business Bureau identity theft affects an estimated 10 million U.S. victims per year. For the seventh year in a row, identity theft tops the list of complaints that consumers filed with the Federal Trade Commission, accounting for 36 percent of the 674,354 complaints received from Jan. 1 to Dec. 31, 2006.
- Massive Data Leakage Will Continue Unless the Public and Private Sectors are Required by Congress to Implement Strong Security Measures to Prevent Breaches: Over 200 million records have been compromised due to data security breaches since 2005. Earlier this year, mega retailer TJX suffered a major computer breach involving credit and debit card purchases by over 95 million American consumers - the largest data breach in U.S. history thus far. Congressional action is urgently needed to ensure the security and resilience of information systems fundamental to consumer confidence, homeland security, e-commerce and economic growth.
- The Problem is Widespread and Impacts Every Demographic. In fact, breaches have occurred at every kind of organization - schools, government agencies, health systems, small businesses and large retail stores. The education sector has accounted for the largest number of data breaches in 2007, with 30% of all data breaches that could lead to identity theft.
- Federal, State and Local Governments are Responsible for 25% of All Data Breaches: Governments are the third most targeted sector for cyber attacks and are wholly responsible for 25 percent of all data breaches. The infiltration in particular of federal government networks and the possible theft or exploitation of our information is one of the most critical issues confronting our nation. During 2006, we witnessed large scale data breaches at the Department of Veterans Affairs, the IRS, the Department of Commerce, the Department of Agriculture and TSA.
- Data Breaches Continue to Undermine Consumer Confidence in the Internet for E-Commerce: Consumers are beginning to rethink doing business online - and with good reason. A 2007 study released by the University of Maryland's James Clarke School of Engineering found that hacker attacks of computers with Internet access occur every 39 seconds on average. Computers used in the study were attacked, on average, 2,244 times a day. According to a June 2005 survey of 10,000 households conducted by the Conference Board, 41 percent of consumers are purchasing less online because of security concerns. And according to a recent survey by CSIA, 32 percent of respondents strongly believe that their financial information may get stolen online. Congress needs to act to stop the erosion of public trust in the Internet.
What CSIA supports:
- Establishing a sensible national standard to reduce the breaches of personally identifiable information by requiring business and government to establish and maintain a data privacy and security program to ensure the confidentiality and integrity of personal information. The national standard should require organizations to proactively implement processes and procedures to ensure workforce compliance before a breach occurs. Legislation should apply equally to all entities that collect, maintain or sell significant numbers of records containing sensitive personal information. Without a consistent national law, there will continue to be confusion arising from at least 38 state laws that cover data security and breach notification. Additionally, many of these state laws only cover breach notification without establishing safeguards that will help prevent breaches from occurring in the first place.
- Use of encryption or other effective security practices in determining a risk-based threshold for notification. If data has been rendered unusable and not accessible through effective encryption with proper key management or other widely accepted security practices, an exemption to providing notice should be granted in order to incentivize entities that implement strong preventative pre-breach security measures to protect personal sensitive information. CSIA supports a "safe harbor" for entities that render data unusable should it be lost or stolen.
- Updating technology standards and methods to correspond with evolving threats. CSIA supports a layered security approach to best protect against data breach threats. Encryption with appropriate management of cryptographic keys or other legitimate methods of rendering data unusable are necessary in order to ensure the most effective protection on sensitive information. As standards change and new security methods evolve to confront existing threats, they must be updated regularly by federal regulators in consultation with industry experts. A comprehensive data security program goes well beyond rendering data unusable - it includes testing, identity and authentication controls, effective access management practices, firewalls, anti-spyware, standardization, appropriate data storage, data loss prevention and real time monitoring and alerting.
- Building on existing standards and legislation. There is no need to reinvent the wheel. Data security legislation should include incentives where possible for the adoption of widely accepted industry best practices such as the Payment Card Industry Standard and ISO 27001 and ISO 17799. These are effective industry standards that help organizations establish a layered approach to information security, and are continually updated by security experts around the globe. These standards evolve as the threats evolve. If a business or government agency adopts these standards, they should be deemed in compliance with the base level data security requirement of the legislation. Some sectors of the economy are already bound by a substantial data security requirement. Financial institutions are covered by the Gramm-Leach-Bliley Act, and many in the health industry are covered by the Health Information Portability & Accountability Act (HIPAA). The national data security standard should be drawn from these models and take care not to impose duplicative or conflicting standards and enforcement bodies onto these entities. Rather, the uniform federal standard should fill the very large gaps that exist by bringing these federal standards to those currently bound by none.
What action is needed:
Strengthening the security of data and notifying consumers when breaches occur has broad, bipartisan support in Congress. CSIA strongly supports legislation balancing the needs of consumers, business and government in order to better protect sensitive personal data. Congress must pass, and the President should sign into law, legislation to prevent further data breaches and address leaks once they occur.
For more information, contact:
Tim Jemal, SVP, Gov. Relations, CSIA
[email protected], 703-894-1263 |
