The Rules Are Different For US

Lax Standards for Feds in Data Breach Vote

Talk about your double standards. The federal government will, once again, be held to a lesser standards than the rest of us. The newly proposed data breach standards offered in congress will hold businesses and private citizens to a higher standard than the government.

This is rather confusing because one would assume, based on statements by those in charge of our various government departments, divisions and agencies, that the federal government is more capable of handling IT security... then of course we know this is not the case because we keep losing top secret materials at various federal agencies, as well as databases with identifying health care information about our veterans. Funny thing is that if a community health care agency had lost that data there would have been major fines and possible some people serving jail sentences under the auspices of HIPAA. But the FED continues to push the law upon us harder than itself, knowing that it should be held to the highest of standards.

We better invest in a large tube of KY jelly.

Days after a massive data leak potentially affecting more than 26 million American veterans became public, a U.S. House of Representatives committee approved a bill requiring written notice of information security breaches.
By a voice vote Thursday, the House Judiciary Committee adopted a bill that would require businesses to alert customers about security breaches. The panel also glued on a newly drafted amendment that would apply to federal agencies.

But in a bizarre twist, the legislation regulates the private sector far more stringently than government agencies--even though the Veterans Administration was responsible for one of the largest security breaches in history, one which officials now say could cost $500 million to clean up.

Feds' easy data breach rules
A House of Representatives panel approved on Thursday a data breach bill that regulates commercial companies more stringently than federal agencies--even though the Department of Veterans Affairs just lost a database of information on 26.5 million veterans.

R. James Nicholson, the Veterans Affairs secretary, said Thursday that: "I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of VA policies." On May 3, the unnamed employee's home was broken into and the database was stolen, Nicholson said. No encryption was used to protect the data.

The bill, called the Data Accountability and Trust Act, or DATA, (click here for PDF) establishes strict standards for commercial companies to follow in the event of a data breach--including notifying customers "as quickly as possible," posting an alert on their Web sites and picking up the cost of credit reports for one year.

Not one of those requirements would apply to federal agencies.

Sonia Arrison, director of technology studies at the Pacific Research Institute, said the situation should be reversed--with the federal government subject to stiffer rules.

"People don't have a choice about whether they're going to give data to federal agencies--they just have to give it up," Arrison said. "The law should be harder on the federal government than on the companies. It should err on the side of being harder on the Feds, because of the fact that you don't have a choice."

The original DATA bill was part of a flurry of congressional activity that emerged in the wake of several high-profile data breaches last year, including an incident at information broker ChoicePoint, which has since agreed to pay record fines.

The Business Software Alliance praised the bill's approval, saying it would "help fill cyberloopholes in the criminal code, encourage early notification to law enforcement, and provide the necessary tools to find and prosecute online criminals."

David Sohn, staff counsel for the Center for Democracy and Technology, said the bill might be reconciled with a second proposal called the Cybersecurity Enhancement and Consumer Data Protection Act, or CECDPA.

CECDPA also was approved by the House Judiciary Committee on Thursday and would require anyone who possesses personally identifiable information, such as a person's Social Security number or date of birth, to notify the U.S. Secret Service or the FBI of any "major security breach" before telling the public. Refusing to comply would result in imprisonment or escalating fines.

The provisions of this bill are also outlined in this article (see attached image).

The text of the bill is also available.