The SAFE Data Act has taken another step towards becoming the nation’s first federal breach notification law. And as the bill proceeds through the legal process, a debate begins to emerge (imagine that!)… There is a lot of noise being made about the fact that the bill requires notification within 48 hours of a breach.
The following is a well-written article discussing why 48-hour breach notification is unreasonable for most businesses and quotes Larry Ponemon, of the Ponemon Institute, as suggesting that a one-month window may be more appropriate…
But I think everyone making this argument may be missing something… When I read the actual language of the bill, it doesn’t look to me like notification is being required within 48 hours of the breach. Here’s a snippet of the core part of the bill that talks about notification requirements:
EVENT OF A BREACH OF SECURITY.
(a) REQUIREMENTS IN THE EVENT OF A BREACH OF
SECURITY.—Any person engaged in interstate commerce
that owns or possesses data in electronic form containing
personal information related to that commercial activity,
following the discovery of a breach of security of any sys-
tem maintained by such person that contains such data,
shall, without unreasonable delay—
(1) notify appropriate Federal law enforcement
officials of the breach of security, unless such person
determines that the breach involved no unlawful ac-
(2) take such steps necessary to prevent further
breach or unauthorized disclosures;
(3) identify affected individuals whose personal
information may have been acquired or accessed;
(4) not later than 48 hours after identifying af-
fected individuals under paragraph (3), unless . . . [snip]
The full bill can be viewed here:
If you look at point 4, you can see that what the bill actually calls for is notification “not later than 48 hours after identifying affected individuals under paragraph (3)” but paragraph (3) doesn’t specify a particular time limit for identifying affected individuals.
The way I’m reading this, it would seem that a company could legally take several weeks to conduct a thorough investigation into the incident and determine who was affected. Once that has been determined, THAT is when the countdown starts on the 48 hours for notification.
I agree with Larry Ponemon’s position that a month would be more realistic for most businesses to provide notification, but it seems to me that the bill in its current form would allow for that.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services