Slashdot Mirror

← Back to Stories (view on slashdot.org)

Legislation In the Works To Require Companies To Report Privacy Breaches

Posted by Soulskill on from the thanks-sony dept.

An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach. "Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"

13 of 62 comments (clear)

  1. Notify Customers by KPU · · Score: 5, Interesting

    How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?

    1. Re:Notify Customers by jd · · Score: 2

      It's reasonable to provide law enforcement some headstart, though not indefinite. How about a compromise? If Congress has to be informed within 48 hours, the public has to be informed within 72 hours whether or not Congress has taken action. It doesn't take a day for computer forensics teams to make backups of applicable system logs from the target, any zombies used, etc.

      I do agree that all prior breaches (well, within reason - say since 1998) should be listed to the extent that they are known. Chances are, for a lot of that time, companies were being broken into left and right with no awareness of it whatsoever. The exception should be banks and other financial institutions, since they have been required by the busineess world to use computers for a very long time and are required to have far higher standards. For them, I'd say 1988 would be a better cutoff point.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:Notify Customers by blueg3 · · Score: 2

      That's kind of tricky. It often can be easier to identify that there has been a potential data breach that it is to identify whether there actually was a breach and, if so, what the target was, was information was lost, and was systems were affected. It can take more than a day, on big targets, to get all of the data that may contain evidence from the targets (even after you've identified the targets). Worse, it can take a long time to identify what non-target machines were involved in the attack -- and for proper incident response, you need the data from them, too.

      So I think it's tough to set a timetable, especially a short one, for reporting data breaches.

      On the other hand, I think it should be mandatory to report data breaches to the public once the breach has been investigated.

    3. Re:Notify Customers by chill · · Score: 2

      The authorities? You're kidding, right?

      Forget the fact that most police departments don't have the skilled personnel to deal with these sorts of things. Forget that most of them are overwhelmed with physical crimes, most of which never get solved. What makes you think any of them will have the jurisdiction to deal with anything?

      Notifying a national agency like the FBI will mostly overwhelm them. Yeah, it is great for their statistics, but lets not kid about their needing a head start. Anyone big enough to matter already cooperates with them first, anyway. The rest will just sit on the pile because they don't have the resources to deal with it.

      Notifying *customers* is the one thing they can do that might actually make a difference.

      --
      Learning HOW to think is more important than learning WHAT to think.
    4. Re:Notify Customers by AK+Marc · · Score: 2

      When you notify the public you also notify the perpetrator limiting the chance of catching him.

      You are asserting that vengeance is more important than security. I disagree.

      Pulling the plug on the affected server is not always the best solution.

      I agree. I never said it was. I said it was a guarantee of ending the breach in progress. Or do you disagree?

      You are apparently coming up with reasons to let a breach continue to occur. I think that's a horrible idea. The police don't respond to an assault with cameras and make sure they take enough pictures while it's happening to identify the perpetrator in case he flees while they try to break it up. They stop the crime in progress, then worry about the rest.

      --
      Learn to love Alaska
  2. notify the government? How about us? by Thornburg · · Score: 4, Interesting

    So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.

    TFA mentions "nationwide" notification, but not a timetable.

  3. sure by waddgodd · · Score: 5, Interesting

    Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?

    --
    Just because you're paranoid doesn't mean they aren't out to get you
    1. Re:sure by dkleinsc · · Score: 2

      Bruce Schneier has written about the effectiveness of this sort of legislation before:
      http://www.schneier.com/blog/archives/2006/04/identitytheft_d.html

      Without disclosure laws, there's a darn good chance that the recent Citibank and Sony breaches might never have become public. Are they perfect? No, but they're a heck of a lot better than no disclosure laws.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  4. Re:notify the government? How about us? by Bios_Hakr · · Score: 4, Interesting

    Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?

    Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)

    I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.

    If they haven't collected enough evidence in 120 hours, then they should pull the plug.

    --
    I'd rather you do it wrong, than for me to have to do it at all.
  5. Cloak after the rain? by ThunderBird89 · · Score: 2

    Why not require them to take proper steps to protect the data, not some half-arsed security mirage on the cheap done by the CTO's nephew's brother's neighbor's friend fresh out of CS101? The government could even mandate the corporations hiring a bluehat to give their systems a once-over or hire convicted hackers on a work-release program (it takes a thief to catch a thief, after all) to pentest the defenses and fine if not acceptable.

    But requiring notification with today's password reuse not going to help: most people use a single master password (present company excepted), so if one account gets hacked, all of them can be considered compromised. John Doe is never going to track down all his passwords that need changing (too many services used once and forgotten, too lazy, doesn't care, etc.), if he bothers to change any of them.

    --
    Hyperbole: I use it liberally!
  6. Re:notify the government? How about us? by CaptainPatent · · Score: 2

    Agreed - even 48 hours is a bit long in today's digital world and the government would only be a middle-man to who the information needs to get to as you were saying.

    If the legislators knew anything about computers, maybe they'd do something smart like require auditing software which detects mass-retrieval of data. That way, in most instances, the leak can be detected immediately instead of potentially not at all like some companies.

    Heck - I think it would be better to require them to notify the government and their consumers within 48 hours of the breech regardless of whether or not they have detected it and subject them to a fine based on the severity of the retrieval and how detectable it should have been if it took them more than 48 hours to detect and report.

    It won't stop data breeches, but it will make sure decent audit systems are in place.

    --
    Well, back to rejecting software patent applications.
  7. S.A.F.E. DATA ? by 2phar · · Score: 3, Insightful

    How about a law to require proper titles for acts instead of these stupid acronyms.

  8. Make it a legal liability by izomiac · · Score: 3, Insightful

    IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.