The latest proposal from President Barack Obama regarding legislation that the White House plans to introduce during the current session of Congress is generally welcomed by observers, but just about everyone with an oar in that water wishes it had been somehow different.
Predictably, the Republication-led Congress wants to use its own bill (which varies, depending on whether it’s in the House or Senate) while a number of states have already implemented laws on security breaches that reflect their views as to what’s best for their residents.
The proposed legislation is actually part of a continuing effort to get Congress to pass meaningful legislation that would set a national standard for how companies respond to the loss of customer confidential data as a result of a breach. For its part, Congress has been dealing with legislation aimed at similar goals for a couple of years, but to date has produced no actual laws covering the issue. The closest Congress came was in the most recent term when the House passed a law that was never addressed in the Senate.
This year, with the House and Senate both being controlled by the same party, there’s always the chance that some type of legislation might make it through. Whether any such legislation resembles what the White House is proposing remains to be seen.
During the president’s speech at the Federal Trade Commission headquarters, on Jan. 12, he noted that current rules are being enforced by the states, and that means that there’s a wealth of differing rules. The proposed national rule that’s being floated would require companies that have been breached to notify anyone who is affected within 30 days. But the proposal would also invalidate state laws that are stricter than the federal standard, including rules that call for breach notifications in less than 30 days.
Marc Rotenberg, president of the Electronic Privacy Information Center, told eWEEK that he welcomes the White House’s focus on data protection, but he said he worries that the end result could be weaker protection.
“If it replaces stronger state laws currently in place, that will be bad for consumers,” Rotenberg told eWEEK in an email. “The White House needs to move forward ‘federal baseline’ legislation that leaves the states free to develop stronger standards and to innovate.”
Equally serious, a number of security researchers said that the White House proposal only covers part of the problem and that more needs to be done, especially in terms of the sharing of breach data and in encouraging companies to work to prevent such breaches in the first place.
“With breaches happening more frequently and the damage getting bigger—especially when the primary threat is coming from the inside—this legislation will do little to slow down or stop the real threat,” Eric Chiu, president and co-founder of cloud security company HyTrust, said in a prepared statement. “Ultimately, companies need to stop viewing security as an insurance plan; instead, they need to think of security as a part of doing business. Until that happens, we will continue to see these breaches take place.”
Obama Breach Proposal Draws Criticism From Many Camps
Adding to the problem is a tendency of companies to view security issues as being proprietary, which means companies are unlikely to share the details of a breach willingly. While the proposed legislation does provide for protection for companies that share breach data, that doesn’t necessarily mean every company is going to comply.
“My biggest worry is that a big company wouldn’t want to report an attack,” said Tom Chapman, director of Cyber Operations at Edgewave. While the proposed legislation might protect companies, it doesn’t protect them in the court of public opinion, he said.
Chapman noted that because of the nature of cyber-operations, a national approach is really what’s needed, regardless of the laws in some states. “The geolocation of cyber is not necessarily fixed to one state or country,” he said.
Other groups have worried that the proposals don’t provide enough incentives for companies to follow good cyber-security practices. However, what many of the objectors don’t mention is that, in some cases, even a partially effective law is better than no law at all, and even partly effective practices focused in the right areas are better than none at all.
Unfortunately, a cyber-attack struck the U.S. Central Command at nearly the same time as the president’s announcement, which immediately distracted nearly everyone from the true issue, which is to find a way to create a national response to the growing issue of cyber-attacks. Regardless of who was behind the hacking of the USCENTCOM’s Twitter and YouTube sites (the hackers claimed to be ISIS, but almost certainly weren’t), that event misses the central issue of protecting companies and their customers.
The central issue is really about opening the previously closed door that hides breaches so that the extent of damage is known. That knowledge doesn’t need to be an embarrassment to the company that was attacked (especially since nearly every company will be attacked eventually), but is necessary so that customers and business partners can protect themselves. Ultimately, this needs to be about more than just protecting a single company from embarrassment; it needs to be about protecting the resources of every other person and company, as well.