Government
Data breach legislation still lets agencies off the hook
Following hearings on the VA data breach, House committee adds federal agencies to legislation. But the new bill regulates government much less stringently than the private sector.
Following hearings on the VA's loss of 26.5 million, the House Judiciary Committee approved a bill that requires businesses to notify consumers of data breaches. The committee added an amendment that applies the rules to federal agencies as well, News.com reports. But even the amended bill fails to regulate agencies as strictly as it does private companies - even as political pressure mounts to punish VA Sec. Jim Nicholson.
The bill, called the Data Accountability and Trust Act, or DATA, establishes strict standards for commercial companies to follow in the event of a data breach--including notifying customers "as quickly as possible," posting an alert on their Web sites and picking up the cost of credit reports for one year.Not one of those requirements would apply to federal agencies.
Sonia Arrison, director of technology studies at the Pacific Research Institute, thinks that arrangement is ass-backwards.
"People don't have a choice about whether they're going to give data to federal agencies--they just have to give it up," Arrison said. "The law should be harder on the federal government than on the companies. It should err on the side of being harder on the Feds, because of the fact that you don't have a choice."
News.com offered this chart to show just how wimpy the new bill is with regard to government agencies.
| Requirement | Companies | Federal agencies |
|---|---|---|
| Web-based notification | Yes | No |
| Medical data breach must be reported to Secretary of Health and Human Services | Yes | No |
| Fines of up to $5 million | Yes | No |
| Subject to state attorney general lawsuits | Yes | No |
| Notify as "promptly as possible" | Yes | No |
| Must pay for credit reports | Yes | No |