Industry giants lobby to kill pro-consumer data-breach legislation

In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.

At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision. They claimed that by putting a list of breach notification reports online, the AG's office would provide phishers and other online fraudsters with ammunition with which to engage in phishing attacks. A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.

The state of New Hampshire already posts copies online of all breaches reported to its Department of Justice. The state has done this for the past year, yet in hours of searching, I've been unable to find a single phishing site or email that has referenced a breach report on the New Hampshire site. While New Hampshire regularly posts these reports, it is not required to by law, and only does so because someone in the attorney general's office is forward thinking and pro-consumer.

In addition to the New Hampshire site, both the Privacy Rights Clearinghouse and Attrition.org collect and publish data breach reports online. Attrition.org is even nice enough to provide an RSS feed of the latest breach reports, perfect for interested parties, or computer geeks wanting to create a mashup.

I spoke with Paul Stephens of the Privacy Rights Clearinghouse this afternoon to get his thoughts on the attempt by lobbyists to kill Indiana's breach Web site bill. When asked if PRC's site or reports located on it had been used by phishers, he dismissed the lobbyists' claims, and stated that "we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." He added that "virtually every security breach already gets reported by the media."

In addition to the breach Web site requirement, the bill, also fixes a number of loopholes in the current breach notification law. The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer. The proposed bill fixes this loophole, and requires instead that companies wishing to avoid breach notification use strong data encryption with an undisclosed key. As the law currently stands, an employee can have her Windows login password written on a post-it note stuck to her laptop, and yet the company will not be required to notify consumers.

The proposed data breach notification bill was written by my local state representative, Matt Pierce, after I contacted him back in mid-2007. I voiced my concern about flaws in the existing law after I discovered, and publicized an undisclosed 2006 data breach incident at Indiana University. Representative Pierce asked me to come up with a list of changes that I would like proposed, and asked me to try and find states that already had similar provisions on the books.

It took several months to hammer things out--and it took the help of Indiana University privacy law Professor Fred Cate who acted as the voice of moderation and wisdom, but eventually, Representative Pierce submitted a bill in January that included most of the changes that I requested.The bill sailed through the State House of Representatives a couple weeks ago, passing 94-0. It is only now that it has come up for consideration in the Senate that the industry lobbyists have decided to try and sabotage one of the most pro-consumer parts of the legislation.

I drove up to Indianapolis this morning, and testified before the Senate committee considering the bill. Apart from Representative Pierce, I was the sole voice calling for the bill's passage, while more than 10 lobbyists took turns at denouncing the bill as a gift to phishers and fraudsters.

While the encryption parts of the bill may end up passing, I suspect that the lobbyists may get their way, and kill the breach notification website requirement in the bill.

No matter what happens, this has been a fantastic experience for me, and a chance to see democracy in action (including the sordid world of lobbyists). A bill that I asked for and helped to draft passed through the house 94-0. I got to testify before a Senate committee, and with any luck, some of the loopholes in the existing law that I identified may be closed.

Anyone wishing to help to save the pro-consumer AG Web site notification parts of the bill (HB 1197) may want to try and call up the state senators on the Indiana Senate Committee on Corrections, Criminal, and Civil Matters. All can be reached by calling the Senate switchboard at (317) 232-9400.

These are:

• Senator Brent Steele,
• Senator R. Michael Young,
• Senator Jeff Drozda
• Senator Brent Waltz
• Senator John M. Waterman
• Senator Richard D. Bray
• Senator Joe Zakas
• Senator Karen Tallian
• Senator Tim Lanane
• Senator Jim Arnold
• Senator Glenn Howard