The progress of a U.S. Senate bill that would require companies to disclose any compromise of sensitive data was slowed this week to allow for more input from senators.
Several IT managers interviewed this week criticized the proposed bill because it calls on companies to disclose the loss of data regardless of whether it’s encrypted — and because it calls for fines of up to US$11 million for failing to report losses. The managers contend that encrypted data is unlikely to be translated if stolen or lost.
The federal proposal comes after several firms reported the loss of personal data in recent months through the theft or loss of tapes and through Internet breaches.
The Identity Theft Protection Act was slated to be presented to the Senate Committee on Commerce, Science and Transportation this week, but the move was postponed “due to overwhelming member interest in identity theft legislation,” according to the committee’s Web site. The bill is sponsored by Commerce Committee Chairman Sen. Ted Stevens (R-Alaska) and Sen. Daniel Inouye (D-Hawaii).
If the bill becomes law, organizations that hold sensitive personal data will be required to secure it with “physical and technological safeguards that will be specified by the Federal Trade Commission.”
“You’re micromanaging, and you’re going to add some dollar amount to someone’s business that has no effect on the general population,” said Bo Coughlin, vice president of the commercial services division at Time Warner Cable Inc. Time Warner last spring reported the loss of backup tapes that contained the personal information of about 600,000 current and former employees.
Coughlin said he understands the principle behind the bill — to protect and inform the public. However, he said companies already do all they can and contended that the law would be a deterrent to encrypting data on digital tapes.
Sophie Louvel, an analyst at Financial Insights in Framingham, Mass., said encrypted data isn’t protected as fully as some companies believe. “The encryption can be decrypted pretty easily,” she said.
Charlie Fulks, CEO of Credit Union Data Processing Inc. in Farmington, Utah, whose firm started encrypting data this year, also opposes a requirement that the loss of encrypted data be reported.
Fulks pointed out that encrypted digital tapes that get lost in transit are very secure.
Lev Katz, data center operations manager at MidAmerica Bank in Naperville, Ill., said he would want to be notified if his personal data was compromised, even if it was encrypted. “And I’m working at a bank, so that means a lot to me,” he said.
Daniel Chow, an IT systems and security engineer at Boeing Employees’ Credit Union in Tukwila, Wash., said he “strongly” agrees with the bill in terms of it “lighting a fire underneath some firms’ butts to start protecting their data.”