When the White House issued its big-data privacy report on May 1, it recommended the passage of federal breach legislation "to replace a confusing patchwork of state standards." Although that may have sounded like good news to the development community — the folk who generally bear the brunt of complying with such security requirements — it's only a step in the right direction if your goal is falling off of a cliff.
Having one federal standard rather than a large number of state standards is an unquestionably good thing. I'm not arguing against that. But the exceptions spelled out in the report and one rather obvious omission make the whole effort rather pointless. (Let's leave aside the question of whether putting any nuanced business problem in the hands of Congress and expecting them to figure out a realistic solution is akin to administering an astrophysics final to your pet rock. No need to belabor the obvious.)
Let's start with what the report recommends. In discussing big data, it makes a reasonable point: "Amalgamating so much information about consumers makes data breaches more con-sequential, highlighting the need for federal data breach legislation to replace a confusing patchwork of state standards. The sheer number of participants in this new, inter-connected ecosystem of data collection, storage, aggregation, transfer, and sale can disadvantage consumers."
In short, the more you collect, the more you can lose.
Here's where things get dicey: "Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents."
Let's take those one at a time:
Reasonable time period for notification
What is a reasonable time period? Many retailers would argue that it's reasonable to wait until the report can be confirmed as accurate, which means allowing a comprehensive set of forensic analysis plus other testing. And maybe a second or third opinion.
Reporting the matter quickly is almost always going to mean delivering preliminary and wrong data. To the extent that such disclosure helps anyone — an assumption that I challenge — isn't disclosing incorrect data harmful?
This also raises the question of when the clock should start. Is it from when the breach occurs? When the company is told that there might have been a breach? When it's confirmed?
Please remember that large companies can get thousands of reports of potential breaches every day, from software that looks for any anomalies. Knowing that more than 99.99% of those reports turn out be of no concern, when should the notification clock start?
Prioritize large over small
Is this relative to the size of the company involved, or is it a fixed number of people affected? Given that it will likely be a fixed number — Congress has never been a big fan of nuance — doesn't that let tons of smaller and midsize companies off the hook?
Sign up for CIO Asia eNewsletters.