Attempts at data breach reporting standard stall

Cyber security is a favorite topic for members of Congress these days, say observers.

“There is no lack of cyber security bills,” said Michael Born, Kansas City, Missouri-based vice president and account executive of the global technology and privacy practice at Lockton Cos. L.L.C. “It seems like everybody has an idea” on how to approach the issue.

Observers point to several pieces of legislation as potentially significant. But experts say they have pretty much given up hope of a uniform federal data breach reporting standard.

“Nobody is trying currently trying to make a uniform data breach notification requirement,” said Mr. Born. There are 48 states with their own statutes, and some other federal regulations that require notification, but no uniform statute.

While there have been attempts to achieve one, “none of them has gotten very far,” he said. “It almost seems as though they’ve given up.”

“Whenever you try to get a uniform standard for the entire country, you run into roadblocks” and the question as to whether it pre-empts federal law, he said.

Furthermore, legislators now prefer to focus on cyber security, he said. “At this point they feel like they have bigger fish to fry.”

Meanwhile, observers say a concept being discussed in Washington, although there was not yet a formal bill as of mid-June, is enabling malware victims to turn the tables on their hackers and hacking them in turn.

The problem with such an approach, though, is the risk this could potentially affect innocent parties, such as in a case where an internet service provider that distributes malicious traffic is shut down, said Doug Johnson, senior vice president for payments and cyber security policy at the Washington based American Bankers Association.

“That’s just one example, but it kind of crystallizes what the debate will be around,” he said.