National data security standard, strong breach notification requirements urged – as well as ‘do no harm’

A national data security standard and strong notification requirements when a data breach occurs were two top recommendations of most of the financial institution and data security experts testifying before a House subcommittee Wednesday. However, lawmakers were also cautioned to “do no harm” as they proceed.

In remarks before the House financial institutions subcommittee, those testifying largely endorsed a national standard to, as one witness put it, “address what is truly a national issue.”

According to Aaron Cooper of The Software Alliance, the design of a national standard should establish expectations for data stewardship designed to reduce the risk of future breaches and ensure that consumers receive timely and meaningful information when their personal information is compromised.

“A uniform national framework would benefit businesses and consumers alike. It would replace the patchwork of state laws that are now creating confusion and difficulties, allowing businesses to focus their resources on incident response rather than unraveling the current thicket of compliance requirements,” Cooper said.

He said that a federal standard should have three goals: minimize the risk of breaches; mitigate the impact of breaches when they occur; and reduce the complexity of compliance.

Echoing his views was Kim Sponem, president and CEO of Summit Credit Union in Madison, Wis. In addition to recommending a strong national standard and strong notification requirements once a breach has occurred, she urged lawmakers to consider mandating “shared responsibility costs.”

“My credit union and other credit unions need data breach legislation that makes the breached entity responsible to others in the payments ecosystem for losses and other damages that are the result of a data breach,” she told the committee in her prepared remarks.

“The current system where consumers are protected from loss because financial institutions bear the responsibility for reimbursing their members and customers for losses stemming from data breaches is not fair or sustainable, as the pace and losses from breaches accelerate year after year,” she added. “Thus, under the current system, financial institutions essentially provide insurance for the entire payments ecosystem while those merchants and other entities whose deficient systems cause the breach have little incentive to properly safeguard consumers’ data, because they have no financial incentive or legal requirement to do so.”

Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), added some additional recommendations, including: limit the use of Social Security numbers (SSNs) in the private sector; provide consumers with free credit freezes and “thaws” (in other words, change the defaults for report disclosures to “opt in”); give consumers a “private right of action” and eliminate mandatory arbitration; and provide the public with free monitoring and easy access to credit history.

However, Paul Rosenzweig, Senior Fellow, R Street Institute, Red Branch Consulting, PLLC, urged a dose of caution in proceeding with standards and required notifications.

“Precisely because cyberspace is unique in its rapidly changing and path‐breaking nature, we face the almost intractable problem of creating policy too slowly to be of any utility,” he told the lawmakers. “We should neither want to overly diminish the problems nor be sanguine about the capacity to find useful answers. We should, however, approach the problem with a very healthy dose of humility. A flexible, modest, scalable approach is far better than a harsh regulatory mandate and deserves our serious consideration. Ultimately, then, the principal recommendation for government is to treat cyberspace like any patient with an ailment and ‘first, do no harm.’”

Examining the Current Data Security And Breach Notification Regulatory Regime