Software Industry Calls for Uniform National Standard for Data Breach Notification to Improve Security and Trust Online

Group Expresses Concerns About “P2P” Proposal

Washington, DC – May 5, 2009

The Business Software Alliance (BSA) calls for a uniform national standard for data breach notification in testimony being delivered today before the U.S. House of Representatives Energy and Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection.

In his testimony, BSA President and CEO Robert Holleyman says the software industry supports the objectives of H.R. 2221, the “Data Accountability and Protection Act.” According to a January 2009 report by the Identity Theft Resource Center (ITRC), the number of data breaches in 2008 increased by 47% compared to 2007, while identity theft has topped the Federal Trade Commission’s list of consumer complaints for nine years.

Holleyman says the bill, offered by Subcommittee Chairman Rep. Bobby Rush (D-Ill.), “would make a substantial contribution to the goal of improving security and trust online” by establishing a uniform national framework for data breach notification. The existing patchwork of 47 state and territorial laws “has created a compliance nightmare for businesses” and “creates confusion for consumers who receive notices for a multiplicity of sources.”  BSA is offering suggestions for how to refine and improve the bill, including:

  • Raising the threshold for the risk-based approach to breach notification from “reasonable risk” to “significant risk,” to ensure that consumers receive notices of only genuine risks and don’t become “immune to over-notification”; 
  •  Amending the bill’s market-based incentive for the adoption of strong data-security measures by making it technology neutral, so that innovators could continue to develop new techniques and methods without the law favoring one type of measure over another.
  • Requiring organizations holding consumer data to establish and implement policies and procedures for the protection of that data, rather than granting new authority to the Federal Trade Commission (FTC) to regulate such activity, which could create “a stifling compliance burden, with little to no gain in terms of increased data security.”

In his testimony, Holleyman also expressed reservations about the potential unintended consequences of H.R. 1319, the “Informed P2P User Act.” BSA welcomes the sponsors’ attention on the serious harms to consumers that are caused by some peer-to-peer file-sharing applications. But the high-tech industry is concerned that, as written, the bill could impose restrictions on many legitimate types of programs such as automatic security updates, “groupware” or collaboration tools, and Web browsers.

Holleyman says, “BSA recommends that the bill be modified to focus narrowly on the kind of software that has, in the past, been shown to create risks to consumers of unintentional exposure of personal information.” For example, the definition of “peer-to-peer file sharing programs” should:

  • Include only those programs that are used primarily to transmit or request copies of third-party copyrighted works; 
  • Include only those programs that are used to transmit to, or request copies from, other computers running the same or a compatible P2P program;
  • Exclude programs or features that are used to transmit information to Web sites and other servers, as distinguished from other personal computers on a P2P network;  
  • Exclude programs that are installed on computers by original equipment manufacturers (OEMs), which do not install the kinds of programs that are known to create risks for unintentional data disclosure; and
  • Exclude programs or features that transmit or request information for purposes that are internal to the functioning and maintenance of the program, such as caching information, updating the program, or diagnosing problems with the software.

Holleyman’s complete testimony can be found at: http://global.bsa.org/pdfs/RH_testimony-5-5-09.pdf.

Editor’s Note:
An October 2008 report by BSA contains anecdotes and statistics concerning the risks to consumers of peer-to-peer file-sharing programs that are often used to traffic in pirated software. 

About BSA

The Business Software Alliance (www.bsa.org) is the foremost organization dedicated to promoting a safe and legal digital world. BSA is the voice of the world's commercial software industry and its hardware partners before governments and in the international marketplace. Its members represent one of the fastest growing industries in the world. BSA programs foster technology innovation through education and policy initiatives that promote copyright protection, cyber security, trade and e-commerce. BSA members include Adobe, Apple, Autodesk, Bentley Systems, CA, Cadence, Cisco Systems, Corel, CyberLink, Dassault Systèmes SolidWorks Corporation, Dell, Embarcadero, HP, IBM, Intel, Intuit, McAfee, Microsoft, Minitab, Quark, Quest Software, Rosetta Stone, SAP, Siemens, Sybase, Symantec, and The MathWorks. p>

Media Contact

Lars Anderson
media@bsa.org
202-715-1511