Washington, D.C. – It started with ChoicePoint nearly a-year-and-a-half ago.
Since then, data breach incidents have included some of the most recognized names in corporate America, government and higher education. The states moved first by signing more than thirty bills into law, all of which generally focus on holding data brokers and entities accountable by requiring that they notify consumers and individuals when their personal data has been somehow exposed.
Dual pressures are forcing Congress to do something, too. For one, many members feel compelled to act, as privacy and security issues are key matters of concern for most Americans. Secondly, the patchwork of state-based laws is creating challenges for business, thus the push for one federal, nationwide approach. Half a dozen bills have been introduced in Congress, some have already been voted out of committee, where they now await full floor action.
Federal legislative proposals differ in scope, and some preempt state laws to varying degrees. The bottom line is that if or when legislation is passed and signed into law, there will likely be new costs and requirements imposed on businesses.
The Data Accountability and Trust Act (DATA Act), H.R. 4127, for example, which passed the House Energy and Commerce Committee in late March with a 41-0 vote, requires that any company or person "engaged in interstate commerce that owns or possesses data in electronic form containing personal information, or contracts to have any third party entity maintain such data for such person" would be required to "establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information."
Other provisions in the bill require that entities:
● Establish a security policy concerning the "collection, use, sale, other dissemination, and maintenance of such personal information."
● Name a point person responsible for information security management.
● Establish processes for detecting vulnerabilities in the system, preventive maintenance and disposing obsolete data.
● Notify individuals and the Federal Trade Commission (FTC) when such personal information – such as a social security number, driver's license number, financial account number in combination with a person’s name and/or address, phone number — has been breached (that is, acquired by an unauthorized person), and where it is reasonable to conclude there is significant risk of identify theft. A notice of the breach must be prominently posted on the entity’s website.
According to the Congressional Budget Office (CBO), the mandates in H.R. 4127 would extend to millions of private entities, including small businesses. While CBO could not estimate the direct cost of complying with each mandate, it did report that the bill’s costs on the private sector would be greater than $128 million in at least one of the first five years that the mandates are in effect.
What about paper documents? Not all businesses and entities have digitized their documents (or have digitized some but not all), and many smaller firms continue to employ a paper record-keeping method. Would bills like H.R. 4127 apply to them? The short answer is probably in the future.
H.R. 4127 first calls on the FTC to conduct a study on the practicality of requiring a standard method for the destruction of non-electronic data and obsolete paper documents. The FTC is then given the power to promulgate regulations to develop a standard.
The business-backed Coalition for Data Security has expressed concern about the "sweeping authority" granted to the FTC. In a July 19 letter to House Majority Leader John Boehner, R-Ohio, they wrote:
"There is no guidance provided to, or limitation on, the FTC in this rulemaking. The burdens of this provision would fall especially heavily on smaller enterprises that rely heavily on paper record keeping and which are not typically targets of ID theft attempts, especially those at which the bill is presumably directed."
With respect to H.R. 4127 in general, the Coalition expressed alarm regarding the FTC’s unlimited authority to regulate an entity’s sale and use of personal information; its weakness in advancing national uniformity; the possibility of "50 different applications of the law" as enforcement is allowed by state attorneys general; and the broad trigger on notification becoming exceedingly onerous as entities will always be compelled to act under the standard.
'If you can't protect it, don't collect it,'" said ranking member Rep. John Dingell , D-Mich., upon passage of the H.R. 4127 out of the House Energy and Commerce Committee.
But given all businesses are required by law to collect certain data from individuals, such as social security numbers from employees and other personal information to prove U.S. citizenship, for example, firms really have no choice but to collect data. In other words, if they don’t collect "it" they’re certainly breaking the law in many instances.
So what’s a small business (with limited resources) to do? Some firms may already be coping with new state regulations, but a layer of federal regulations may add complications and new costs.
At the Progress and Freedom Foundation’s recent Aspen Summit, Arthur W. Coviello, chief executive officer and president, RSA Security, Inc., remarked that "rational, consistent government policy is critical to the nations competitiveness." He suggested that leadership is important and that multiple players – government, businesses, consumers and nonprofits – need to step up.
For businesses, Coviello said, that means a proactive security strategy rather bolting it on "in a defensive and reactive way." He called for a safe harbor for organizations that employ best practices – for example, those that encrypt data and have a sensible program in place.
To help small firms cope in the current environment, the Council of Better Business Bureaus (CBBB) and Privacy & American Business (P&AB) launched an initiative that provides firms with a non-technical roadmap to securing their customer and employees’ data. The program includes free, easy-to-read toolkits.
Barring any major incident in the next couple of weeks (there are only 15 days left on the legislative calendar before members of Congress leave town to campaign for the upcoming election), there will likely be no movement on Capitol Hill to fully advance data security legislation. However, the fix is in to do something, and small firms would be wise to develop or fine tune data-security processes in preparation for mandated requirements to do so in the future.
Karen Kerrigan is president & CEO of the Small Business & Entrepreneurship Council, a research and advocacy group based in Washington, D.C. that works to protect small business and promote entrepreneurship. She is also founder of Women Entrepreneurs, Inc., an association helping women business owners succeed through education, networking and advocacy. Kerrigan can be reached at email@example.com.