But in light of this bill's lengthy exemptions and data breach size limits—public disclosure, for example, is only required when a breach impacts more than 5,000 people in one state—the National Retail Federation issued a statement saying it fears that with so many retailers having to report data breaches under this legislation people might get bored and start to ignore the notices. NRF dubs this scenario "notice fatigue."
What does it say to the nation when the chief lobbying organization charged with protecting retail interests publicly trumpets the fact that it believes there will be a huge number of data breach reports if full disclosure is required? Yeah, that makes me want to go and buy stock in Wal-Mart and Walgreens right away.
Alas, NRF, fear not. The bill—which has fairly little chance of being made law without being riddled with so many more loopholes as to be meaningless—won't likely yield many new disclosures from major chains. Let's drill down into what the current version of the bill actually says.
To begin with, public disclosure is limited to situations where "the number of residents of such state whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person exceeds 5,000." First, it's mathematically unlikely that we'll be seeing thousands of such reports. Second, if we are, sorry, but those chains need to disclose. And if we do indeed have thousands of such retail breach disclosures every year, we have a much bigger problem than consumers getting bored with such notices. Some of them might even get a little angry. (Not that American consumers will do anything about it. We're such an apathetic, lazy lot.)
The bill also allows for individual consumer notifications in breaches with fewer than 5,000 victims, and it doesn't set a limit on those notifications. With them, though, the time restrictions are impressively soft.
The bill allows for delays for any "time necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment and restore the reasonable integrity of the system," among other things.The bill allows for delays for any "time necessary to determine the scope of the security breach, prevent further disclosures, conduct the risk assessment and restore the reasonable integrity of the system," among other things. Is that all? As evidenced by recent major breaches—quite legitimately, by the way—those conditions could easily extend to the end of time itself. How long does it take to completely determine the scope of a breach where security logs are manipulated by the intruders? How long will it take to absolutely prevent any further disclosures? How about that "restore the reasonable integrity" part?
The bill, though, tried to set an upper limit of 90 days, but with sufficient law enforcement exceptions to allow it to extend far beyond that.
"If the United States Secret Service or the Federal Bureau of Investigation determines that the notification required under this section would impede a criminal investigation, or national security activity, such notification shall be delayed upon written notice from the United States Secret Service or the Federal Bureau of Investigation to the agency or business entity that experienced the breach. The notification from the United States Secret Service or the Federal Bureau of Investigation shall specify in writing the period of delay requested for law enforcement or national security purposes."
In general, the bill wants 30-day delays, but it gives no limit if law enforcement decides on its own that "further delay is necessary." Notification also wouldn't apply if the Secret Service or the FBI "determines that notification of the security breach could be expected to reveal sensitive sources and methods or similarly impede the ability of the Government to conduct law enforcement investigations."
It's important to remember that, in general, law enforcement is focused primarily (if not exclusively) on catching the bad guys and preventing them from doing this to others. The preventing is generally done by the catching. Law enforcement would always prefer to keep things quiet for as long as possible, to try and capture the bad guy and to learn as much as possible before the bad guy discovers his attack has been discovered.
The bill does require businesses to tighten up security, but the type of data it's trying to protect is overwhelmingly only at issue with retailers that take credit and/or debit cards. Most cash-only (or cash- and check-only) businesses retain very little personal data. And credit-card-accepting retailers already have to do everything the bill specifies as part of PCI compliance, so it's really unlikely to have any impact there. The bill, however, does do some meaningful things to dilute prosecutions of data breaches, which is presumably the opposite of its goal.The bill, however, does do some meaningful things to dilute prosecutions of data breaches, which is presumably the opposite of its goal. Today, the Federal Trade Commission complains—with good cause—that it has little power to punish retailers that violate its rules. The fine limits the FTC has do little to discourage bad actions from chains whose revenue is in the billions of dollars.
Leahy reported last week that new changes will "address concerns about excessive civil liability for enforcement actions brought by the Federal Trade Commission" and "concerns about excessive civil penalties for enforcement actions brought by the Attorney General and the Federal Trade Commission."
Not to worry, though; state attorney generals can always move in, because they have more fine options than does the FTC. Right? Not if this bill is passed. It specifically prohibits states from prosecuting cases where the feds are involved. So the same bill that sharply limits what the feds can do with data breach violators also prevents the states from getting involved?
But wait, it gets better. If the goal of the criminal is identify theft—as opposed to direct credit-card fraud—there's a ton of extremely useful information in retail databases. Alas, the bill's current version goes out of its way to exclude any CRM data theft.
The personally identifiable data is referred to in the bill as a consumer's "personal electronic record," which it defines as data associated with an individual contained in a database, networked or integrated databases, or other data system that is provided by a data broker to nonaffiliated third parties and includes personally identifiable information about that individual." Makes sense. But the next line is the chief exclusion.
"The term 'personal electronic record' does not include any data related to an individual's past purchases of consumer goods or any proprietary assessment or evaluation of an individual or any proprietary assessment or evaluation of information about an individual." Well, so much for CRM files.
One of the tougher–sounding provisions of the bill is personal responsibility—backed up with a threat of five years in prison—for anyone who knows of a breach and "intentionally and willfully conceals the fact of such security breach."
At first blush, the bill sounds like it's threatening retail IT employees with prison if they don't report breaches. But it doesn't really go there. To begin with, "intentionally and willfully concealing" is quite different from not volunteering. This would cover an IT manager who personally forged security logs to keep IT management and the government in the dark about a breach. But it's not suggesting prison time for someone who fails to report a breach.
And even if someone did hide a breach, almost no retail breaches would be relevant anyway. The bill limits that exposure to breaches where "economic harm to any individual in the amount of $1,000 or more." As the TJX and Hannaford breaches made clear, payment card zero-liability rules make it just about impossible for consumers to have any significant out-of-pocket costs and certainly not $1,000 or more.
Had that provision spoken of losses to retailers of $1,000 or more—alert costs, security fixes, reissuing of payment cards, etc.—and used that to define a serious breach, this would be a very different bill.