Last Tuesday Rep. Schakowsky (D,IL) introduced HR 4187,
the Secure and Protect Americans’ Data Act. This is a very comprehensive
personal data protection and breach reporting act that give the FTC regulatory
authority over these matters.
New Regulations
The FTC is required to promulgate regulations pertaining to
the requirements for securing ‘personal information’ {§2} and reporting breaches that result in “personal
information [that] was, or is reasonably believed to have been, acquired or
accessed by an unauthorized person, or used for an unauthorized purpose” {§3(a)(1)}.
The definition of personal information {§5(6)} is quite extensive
and includes a wide variety of identification information. Items of particular
interest to readers of this blog include:
• Unique biometric or genetic data
such as a faceprint, fingerprint, voice print, a retina or iris image, or any
other unique physical representations {§5(6)(v)};
• Information that could be used to
access an individual’s account, such as user name and password or email address
and password {§5(6)(vi)};
• An individual’s first and last
name or first initial and last name and any security code, access code, or
password, or source code that could be used to generate such codes or passwords
{§5(6)(vii)};
• Digitized or other electronic
signature {§5(6)(xi)};
• Nonpublic communications or other
user-created content such as emails, photographs, or videos {§5(6)(xi)}; and
• Any additional element the Commission defines as
personal information {§5(6)(xiv)};
Moving Forward
Ms. Schakowsky is the Ranking Member of the Commerce,
Manufacturing and Trade Subcommittee of the House Energy and Commerce
Committee, the Committee to which this bill was referred for consideration.
While none of the seven co-sponsors are Republicans they do include other influential
members of the Committee, including Rep. Pallone (D,NJ) the Ranking Member.
There is a chance that this bill could be considered in Committee. If it does
get recommended out of Committee then it could move to the floor for
consideration, probably under a rule.
Commentary
With all of the big name data breaches that we have seen in
the public sector over the last couple of years there have been a number of
data breach bills that have been introduced in the 114th Congress
and this probably will not be the last. This bill is, however, one of the most
comprehensive and wide reaching that I have seen. It does not, for example,
contain a minimum information breach size or data base size to be considered by
the regulator.
Most breach legislation to date has been more specifically
targeted at IT processes and financial information in particular. Looking at
the list above of covered personal information that I abstracted from the bill
it is quite clear that the staff writing this bill was expanding greatly the types
of information included and thus the business that would be potentially covered
by the resulting regulations.
Because there is no minimum size for a covered breach, even
the loss of a single user name/password combination would technically be
covered. This could directly affect attacks on control systems where that
information was (or could have been) taken by the attacker. We have seen a
large number of vulnerabilities over the last couple of years that specifically
put this information at risk.
I don’t currently see Congress taking on this bill due to
its extremely comprehensive coverage. That could easily change if we have a
series of very public credit card breaches over the holidays or some unusual
type of large breach in a previously unaffected sector.
No comments:
Post a Comment