In Praise Of The SAFE Data Act Bill

on November 02, 2011 at 7:56 AM

Despite what seems to be a political deadlock and an endless election cycle, some folks in Washington are indeed trying to accomplish a few items – and potentially for the better as it pertains to concerns about cybersecurity.

Data breaches ranging from Stuxnet to PlayStation have reached most constituents and even their living rooms in some cases. This rash of high level and public data breaches has helped Congress move forward the SAFE Data Act. The proposed bill would establish security and data breach notification standards for organizations that collect private information from consumers and deserves more than casual attention.

There currently are at least 20 bills dealing with cybersecurity and information security pending in the Senate, and at least 13 more in the House. Many of the bills are perennial efforts that have been introduced in previous Congresses, and the numbers do not include the White House proposal, which has not been introduced as a bill.

Standards, especially when concerning security, can indeed be a good thing. The SAFE Data Act, will no doubt go through several changes before it is final. But below are initial thoughts on the legislation that may be addressed, expanded upon or even removed completely in the coming months:

Uniting the States – If it does pass, unifying the various privacy mandates that exist at the state level is a good thing and should make life easier for organizations that span multiple states – the risk is that the bill ends up being the highest (or worse still the lowest) common denominator rather than the pick of the best.

•Timing Is Everything – Notifying consumers as quickly as possible of a breach is obviously important so that they have a chance to take appropriate action. It seems that the act will attempt to define a deadline for disclosure. The question is a deadline from when – suspicion of breach, detection of breach, proof of breach or point of agreement that data might be misused?

“Exemption” and “Reasonable,” the dreaded caveats – Two words that appear in the act that always leave things a bit nebulous. Some organizations will be exempt from the act. Also, organizations will have the final say on whether there is a reasonable risk that the data could be maliciously used. “Reasonable” could leave the door too wide open for interpretation.

• What Data Is Covered – Interesting to note that the proposed bill currently relates to name, address, phone but not email. As we all clearly know by now, email is a common consumer ID element. Also, that the bill only covers data that relates to financial data and ID info that could be used for ID theft – not healthcare, employee records (like salary), criminal records etc.

• Encryption Is a Good Thing – There is a safe harbor that if the data is protected (for example it is made unreadable by encryption or tokenization) organizations will avoid the need to disclose since the risk of misuse will be extremely small if not eliminated completely. This means that organizations can be proactive and take steps ahead of an attack to limit exposure, essentially buy themselves a ‘get out jail’ card.

• Electronic as Well as Physical – The proposed bill seems to include paper based as well as electronic information.

The act does seem like a step in the right direction and will help provide a much needed general standard for security and data breach notification. As has been noted, there are definitely a few questions that the bill in its current form triggers, and we will all watch eagerly as the act moves forward until its signing.

If we have learned one thing, it certainly is that data breaches are not going to stop occurring.

Therefore, both the government and private sectors much work together to both prevent and address security concerns.

Richard Moulds, is vice president for product management and strategy and a data protection expert at Thales e-Security.