Wednesday, December 12, 2007

Data Breach Notification Prioritized over Identity Theft Restitution

According to this article from SC Magazine the House Judiciary Committee is likely to give precedence to a bill making it a federal crime to fail to notify law enforcement in the event of a major security breach. The alternative proposal, which is not expected to be voted on before the end of the year, would have made it easier for victims of identity theft to recover compensation and also would have facilitated prosecution of individuals deploying botnets. Based on my understanding of the legislation, I'm not sure that either bill would have any real effect. State data breach notification statutes already have the effect of forcing businesses to disclose when a security breach takes place, so I'm not sure what would be accomplished by having a separate federal law which requires only notification of law enforcement. Regarding the bill which would help victims of identity theft recover compensation, victims of identity theft can get compensation now (or more than compensation, as described here) - assuming they can find the thief. The reason people end up having to eat costs of identity theft isn't because the law won't help them, it's because they can't find the perpetrator. Similarly, when it comes to prosecuting individuals who maintain botnets, I don't see the problem as being one with existing law. Instead, finding people controlling botnets can be difficult, end even if they are found, there is no guarantee they will be within the reach of U.S. courts.

With that having been said, I think the mere existence of these bills is a positive step. The federal government is way behind the states when it comes to protecting privacy, and privacy protection is something that (ideally) should be approached in a manner that isn't limited by state borders.

No comments: