Data Breach Bill's Flawed Assumptions

This column was written by Evan Schuman, the editor of StorefrontBacktalk.com, a site that tracks retail technology, e-commerce and security issues. Retail Realities will appear each Friday. Evan can be reached at e-mail and on Twitter.

In short, the bill is trying to make it more difficult for major retail chains to hide large data breaches when, in fact, the wording will make it easier for them to hide such breaches.

Leahy is pushing the Personal Data Privacy and Security Act was introduced July 22 and said it was "one of my highest legislative priorities as Chairman of the Judiciary Committee." (Details details. Is that "one of my top two highest priorities" or "one of my top 10,000 highest priorities"?)

"This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," the Senator said in a statement.

The parts of the bill relevant for retails chains would increase criminal penalties for identity theft involving electronic personal data and make it a crime to "intentionally or willfully conceal a security breach involving personal data." That last part carries a punishment of either a fine or imprisonment of as long as 5 years, or both. It allows allows the Federal Trade Commission to impose "a civil penalty of not more than $5,000 per violation, per day and a maximum penalty of $500,000 per violation. Intentional and willful violations of these sections are subject to an additional civil penalty of $5,000 per violation, per day and an additional maximum penalty of $500,000 per violation."

There's the possibility that some smaller retail chains may be exempt, as the introduced version of the bill only applies to "business entities that compile, access, use, process, license, distribute, analyze or evaluate personally identifiable information in electronic or digital form on 10,000 or more U.S. persons." A provision requires media notification "if the number of residents in a particular state whose information was, or is reasonably believed to have been, compromised exceeds 5,000 individuals." Section 316 requires that business entities and federal agencies notify the Secret Service of the fact that a security breach occurred within 14 days of the breach, if the data security breach involves: (1) more than 10,000 individuals; (2) a database that contains information about more than 1 million individuals.

It also requires internal testing "to ensure that third parties or customers who are authorized to access this information have a valid legal reason for accessing or acquiring the information."

Most importantly, the bill would replace a wide range of conflicting state laws, as it specifically "preempts state laws relating to administrative, technical, and physical safeguards for the protection of sensitive personally identifying information."

But the core of the bill is where things get a bit dicey. It requires retailers to notify consumers impacted by a breach "without unreasonable delay" but it doesn't say how much time retailers can take. Without that specific, it would seem difficult to enforce the law.

Even worse, the exemptions for notification are so broad as to make it unlikely that any retailer would actually be impacted. For example, the bill provides a blanket exemption as long as a chain "provides a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation or damage national security." The Secret Service then has to perform a review to determine if it's a warranted claim.

The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless. Unless they have a picture of a suspect that they want identified or located-a highly unlikely situation with a major data breach-law enforcement (especially at the federal level) would always rather keep information quiet. So without listing specific requirements for such a finding, it's an amazingly low bar.

Although the bill "prohibits federal agencies from providing a written certification to delay notice, to conceal violations of law, prevent embarrassment or restrain competition," it doesn't provide a presumption of disclosure, nor specifics for the Secret Service to rely on. In other words, if the agents would rather the suspects to know as little as possible about what they know, there's nothing in this law to require retail disclosure.

Here's another interesting exemption: "Section 312(b) exempts a business entity or agency that conducts a risk assessment after a data breach occurs, and finds no significant risk of harm to the individuals whose sensitive personally identifiable information has been compromised."

That's interesting because the bill-again-offers no specifics to help someone make that determination. What constitutes significant? Executives involved in several recent major breaches-including Heartland-have argued, for various reasons, that their customers are not really at risk. Who is conducting that assessment?

If it's being done by the retailer itself-or by an assessor being paid by the retailer-I think we can make a pretty good guess that it will be a rare breach where the chain will find a significant risk of harm to its customers. The government is trusting the breach victims-with PR departments and lawyers trying to fend off class action lawsuits-to make that determination? Perhaps if it gave that job to the Secret Service, along with specific criteria to determine what the Senate means by significant, then maybe that provision could work.

That section also gives us this well-intentioned gem: "A rebuttable presumption exists that the use of encryption technology, or other technologies that render the sensitive personally identifiable information indecipherable, and thus, that there is no significant risk of harm."

Wait a second. Are they actually saying that if the chain used some element of encryption, it's exempt? What if the chain has a reason to believe that the cyber thieves had cracked their encryption? What if-as actually happened with TJX-the bad guys also stole the encryption key, making the encryption of no value?

More importantly, even if the chain had no reason to believe either the key had been intercepted or the encryption had been cracked, there's still the fine chance that the bad guys could crack the encryption later. Having a blanket statement that says, in effect, "If you use encryption, no need to disclose anything. We're all fine here" is ludicrous.

One other part of the bill-Section 312(c)-has an even more vague exemption from the notice requirement "if a business entity has a program to block the fraudulent use of information -- such as credit card numbers -- to avoid fraudulent transactions. Debit cards and other financial instruments are not covered by this exemption."

So if a chain has any program that is supposed to block the fraudulent use of credit card numbers, they're off the hook for reporting breaches? OK, I'll ask: With all of these broad exemptions, what major retailers does this possibly leave that still would be required by this bill to do anything?

It would be easy to dismiss this bill if it were the work of some freshman congressman out there, with no experience and almost no staff. But this is the work of a veteran Senator, who is the chairman of one of the Senate's most powerful committees. Even worse, this bill has been introduced twice before, giving his staff plenty of time to learn all of its holes the hard way.

The U.S. Senate needs to get involved, establish one federal standard for data breach procedures and put some serious teeth into it. That bill is needed. This bill, however, seems designed to get headlines from reporters who don't read the actual legislation and to make it sound like it's going to change something. A bill is definitely needed, but this one-in its present form-isn't it.
By Evan Schuman
Special to CBSNews.com