Latest breach revives call for action to protect data

The Cyber Security Industry Alliance is calling on the new Congress to pass comprehensive data-security legislation after another massive data breach reported last week.

TJX, the parent company of stores including Marshalls and TJ Maxx, announced that hackers broke into a system that handles credit- and debit-card transactions. The company has refused to say how many customers were affected.

Liz Gasster, president and CEO of CSIA said the episode "has the potential to be a very large breach," and the fact that the company is based in Massachusetts, one of 15 states without breach laws, highlights the need for national legislation.

Several data-security bills were introduced last session, some addressing protections for data housed by commercial companies and others addressing sensitive data stored by various government agencies. The legislation outlined requirements for notifying affected consumers in the event of a security breach and sometimes mandated preventive measures like encryption.

Various committees, including the House Government Reform and Financial Services panels, held hearings, but none of the legislation became law.

"The real boogeyman for why data security didn't pass was jurisdictional issues," Symantec lobbyist Kevin Richards said.

He said new House Financial Services Committee Chairman Barney Frank, D-Mass., has floated the idea of a task force made of members of the various committees to overcome the jurisdictional battles and pass legislation.

"That's something we're very optimistic about and would encourage," Richards said.

So far this session, Sen. Dianne Feinstein, D-Calif., has introduced a bill, S. 239, that would require federal agencies to disclose data breaches, and Rep. Jo Ann Davis, R-Va., has introduced a measure, H.R. 516, that also just addresses the security of government data. It would require encryption for all sensitive data housed by government agencies and also outline security requirements for government workers and contractors with access to the data.

"The biggest priority is to pass a comprehensive data-security law that applies to all entities," Gasster said. "A lot of proposals focus on the private sector. I think it's important for the law to apply equally to the government and the private sector."

Gasster said it does not make sense for security standards and procedures to change depending on where the data rests because it certainly does not matter to an identity-theft victim. She said it is especially unfair to consumers when a government agency fails to secure sensitive data.

"We can choose to do business with a company," Gasster said. "When we do business with the government, we don't have a choice."

Like Gasster, Richards hopes to change the debate from not just one of notification after breaches but prevention of breaches. "There should be incentives for companies that do the right thing," he said. "If they encrypt information and data is unusable, they shouldn't have to report a breach."

Gasster hopes the TJX breach will help Congress put "jurisdictional differences aside" and pass legislation this session.