Cal. Legislator Ready for Follow-Up to High-Impact Breach Notice Law
SAN JOSE -- The author of a Cal. data-breach notification law that sent ripples from state capitols to Capitol Hill said he'll introduce a follow-up bill in 2007 if the U.S. doesn’t pass a law at least as strong as his in 2006. “Lead, follow or get out of the way,” was the blunt message to Congress Cal. Sen. Joseph Simitian (D-Palo Alto) gave last week at the RSA Conference here. He’s prepared to offer legislation to “tidy up any issues of concern to business” or to tighten the law on the books, he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Simitian favors nationwide breach-notification rules, whether by act of Congress or all states, he said. “A good strong national standard” in federal law would be fine, he said, but for Congress to “gut the protections” enacted in Cal. and other states would be “a matter of great concern.”
Cal. and its notice law inspired 23 other states to do likewise, Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. Former FTC Comr. Orson Swindle said proposals had surfaced in 19 others. “With that many laws there can be an awful lot of confusion,” Swindle said: “There can be a legitimate argument for preemption.” Otherwise, Swindle said, the most rigorous state law becomes a de facto national standard.
But Swindle said retailers and others must provide better security information, because consumers are losing confidence in online transactions. “We are going to kill the goose that lays the golden egg” unless personal data are protected, he said. And e-health will flounder without data security, Kurtz said. That’s why technology companies should support strong breach notification legislation, Simitian said.
Of breach notification bills in Congress, those from the House and Senate Commerce committees are furthest along, Kurtz said. A bill by Sens. Specter (R.-Pa.) and Leahy (D.- Vt.) To set specific requirements for vulnerability and authentication assessment and for access controls “could go somewhere” but its prospects are less promising, he said. Kurtz said he favors a federal law but, like the Commerce bills, without technology mandates.
Simitian has been “pleasantly surprised” about his law’s effect beyond Cal., he said: Companies realized that “once they're going to give California notice,” they might as well notify affected customers elsewhere, too, he said. Simitian said his measure spurred firms in 2 ways to improve security: It exempted breaches of encrypted data, and for disclosures of unencrypted data, “corporate shame is a very strong motivator,” he said. The encryption exemption has spread to other states laws and congressional bills, Kurtz said. Stock price drops, brand damage, suits and lost customers are other incentives to prevent breaches, Swindle said.
But the stick alone isn’t “going to change the culture inside and out,” as needed at companies, said Richard Baich of PricewaterhouseCoopers. Positive incentives, such as more favorable Small Business Administration loan rates for secure businesses, also are required, he said. -- Louis Trager
RSA Conference Notebook…
Social obligations imposed on VoIP won’t go away but will only pile up, Microsoft Compliance Mgr. Scott Forbes said. A “perfect storm” of circumstances favors regulation, Forbes said last week at the RSA Conference in San Jose: (1) VoIP’s rising popularity. (2) A growing focus on social obligations rather than regulation for competition in telecom. (3) High visibility, notably in coverage of fatalities from failed bids to use VoIP for 911 calls. (4) Financials like Public Safety Answering Points’ money needs and incumbent providers’ scant VoIP revenue. “In 2 years, we've had more regulation on VoIP than we had in telephony in 100 years,” Forbes said. Federal policy-making aims to “create a playing field where everyone looks the same” among wireline voice service providers, he said. Rather than stick VoIP in a standard regulatory silo by Telecom Act title, the FCC is using “piecemeal, incremental regulation,” Forbes said. The FCC has focused on a subset of Internet voice it defines as “interconnected VoIP,” but DoJ’s stance on CALEA compliance and draft federal bills on customer proprietary network information seek more general regulation of VoIP, Forbes said. Today’s noisiest issues are the least important, he said, referring to data protection, disability access and competition. “The big 3” are law enforcement and emergency services access and universal service, which Forbes defines as relating mainly to “enormously expensive” network build-outs in the Midwest’s low-density “square states,” he said. “The FCC is very much engaged” in such matters, and on CALEA and other issues, DoJ and the rest of the Administration mainly get what they want from the Commission, Forbes said. The crucial definition of “call identifying information” for purposes of VoIP CALEA compliance awaits a 2nd FCC order on the topic, probably in 3-6 months, he said. That order likely will put off the compliance deadline, Forbes said. When the order is challenged in court, Congress probably will respond by rolling VoIP obligations into a broader law applying CALEA to all electronic communications, he predicted. And VoIP will be subject to universal service fund contributions, Forbes said. Beyond these matters, policy-makers have yet to settle crucial questions on VoIP, he said: Municipal Wi-Fi, ad-supported VoIP businesses, call encryption, replacing phone numbers in caller identification, trusted 3rd parties and hybrid networks that include conferencing, wired-wireless convergence and so-called leaky PBXs.