Sunday, December 13, 2015

HR 4187 Introduced – Breach Notification

Last Tuesday Rep. Schakowsky (D,IL) introduced HR 4187, the Secure and Protect Americans’ Data Act. This is a very comprehensive personal data protection and breach reporting act that give the FTC regulatory authority over these matters.

New Regulations

The FTC is required to promulgate regulations pertaining to the requirements for securing ‘personal information’ {§2} and reporting breaches that result in “personal information [that] was, or is reasonably believed to have been, acquired or accessed by an unauthorized person, or used for an unauthorized purpose” {§3(a)(1)}.

The definition of personal information {§5(6)} is quite extensive and includes a wide variety of identification information. Items of particular interest to readers of this blog include:

• Unique biometric or genetic data such as a faceprint, fingerprint, voice print, a retina or iris image, or any other unique physical representations {§5(6)(v)};
• Information that could be used to access an individual’s account, such as user name and password or email address and password {§5(6)(vi)};
• An individual’s first and last name or first initial and last name and any security code, access code, or password, or source code that could be used to generate such codes or passwords {§5(6)(vii)};
• Digitized or other electronic signature {§5(6)(xi)};
• Nonpublic communications or other user-created content such as emails, photographs, or videos {§5(6)(xi)}; and
• Any additional element the Commission defines as personal information {§5(6)(xiv)};

Moving Forward

Ms. Schakowsky is the Ranking Member of the Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee, the Committee to which this bill was referred for consideration. While none of the seven co-sponsors are Republicans they do include other influential members of the Committee, including Rep. Pallone (D,NJ) the Ranking Member. There is a chance that this bill could be considered in Committee. If it does get recommended out of Committee then it could move to the floor for consideration, probably under a rule.


With all of the big name data breaches that we have seen in the public sector over the last couple of years there have been a number of data breach bills that have been introduced in the 114th Congress and this probably will not be the last. This bill is, however, one of the most comprehensive and wide reaching that I have seen. It does not, for example, contain a minimum information breach size or data base size to be considered by the regulator.

Most breach legislation to date has been more specifically targeted at IT processes and financial information in particular. Looking at the list above of covered personal information that I abstracted from the bill it is quite clear that the staff writing this bill was expanding greatly the types of information included and thus the business that would be potentially covered by the resulting regulations.

Because there is no minimum size for a covered breach, even the loss of a single user name/password combination would technically be covered. This could directly affect attacks on control systems where that information was (or could have been) taken by the attacker. We have seen a large number of vulnerabilities over the last couple of years that specifically put this information at risk.

I don’t currently see Congress taking on this bill due to its extremely comprehensive coverage. That could easily change if we have a series of very public credit card breaches over the holidays or some unusual type of large breach in a previously unaffected sector.

No comments:

/* Use this with templates/template-twocol.html */