WASHINGTON (6/11/08)— U.S. Senators John Kerry (D-Mass.) and Olympia Snowe (R-Maine) and U.S. Reps. Michael Michaud (D-Maine) and Donald Manzullo (R-Ill.) introduced a data security bill this week aimed at protecting small businesses. In 2006 and 2007, staunching the hemorrhage of data breach incidents and creating tools to deal with their aftermath was a stated priority issue among committees in the U.S. Congress that have jurisdiction over such issues. In fact, during those years there was a bottleneck in the legislative process caused by a plethora of bills with different legislative approaches vying for attention in at least six different committees. However, in recent months the issue had been all but supplanted by such things as the country’s focus on the housing crisis, the ensuing credit crunch, and economic downturn The new data security bill, called the Small Business Information Security Act of 2008 (S. 3102 and H.R. 6206), would establish a Small Business Information Security Task Force within the Small Business Administration (SBA) to help small firms understand and effectively respond to the information security challenges they face. The task force would:
* Identify information security concerns and the services that address those concerns; * Make recommendations to the SBA regarding how it can better assist small businesses to both understand cyber-security issues and identify resources to help meet those complex challenges; and * Promote current programs and services that will help small businesses protect their customers' valuable information.
In a release, bill-sponsor Snowe noted a 2005 Small Business Technology Institute survey, which reported that more than half of all small businesses in the United States experienced a security breach in the previous year. Snowe, who is ranking member of the Senate Committee on Small Business and Entrepreneurship, said, "Given that the study concludes that nearly one-fifth of small businesses do not use virus-scanning for e-mail, over 60% do not protect their wireless networks with encryption, and two-thirds do not have an information security plan, it is clear that we must get serious about helping firms to protect themselves from cyber predators.” On the House side, Manzullo said, “"America's 27 million small businesses are the job creators of our economy and we must do everything we can to help protect them from computer hackers and data thieves. This legislation will help them identify potential information security breaches and protect them and their customers from these cyber criminals.” The bill’s authors, in announcing their initiative, noted the recent breach at the supermarket chain, Hannaford Bros., which exposed 4.2 million credit and debit card numbers to fraudulent use (see related News Now
story: “Hannaford breach lawsuits consolidated under one judge). The lawmakers said that breach indicates "the ease with which sensitive information can be obtained, regardless of the level of protection that might be in place.” Moreover, they added, as more small businesses seek to compete internationally, they must be provided with the tools to protect their information systems from countries with less stringent security laws. Ryan Donovan, vice president of legislative affairs for the Credit Union National Association (CUNA) said, "This bill would be a step in the right direction, and we applaud the sponsors for recognizing that data security is a problem. But, we continue to urge Congress to look at the issue of data security in a comprehensive manner that recognizes that credit unions and their members are often not notified of data breaches until well after they have occurred, and are not reimbursed for the cost of the breaches." On the issue of data security on a broader level, the CUNA supports legislation prohibiting the retention of sensitive, identifying information by merchants and certain non-financial companies from plastic card magnetic strips that could be obtained in connection with financial transactions. CUNA would like to see initiatives pursued that would require the major credit card companies to notify financial institutions when a breach has occurred, and for financial institutions to be able to disclose the source of the breach to the consumer. CUNA also supports a requirement that the breaching party, such as a merchant, reimburse the consumer or financial institution for any losses incurred and believes a uniform standard should be set.