Slashdot Mirror

← Back to Stories (view on slashdot.org)

Legislation In the Works To Require Companies To Report Privacy Breaches

Posted by Soulskill on from the thanks-sony dept.

An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach. "Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"

6 of 62 comments (clear)

  1. Notify Customers by KPU · · Score: 5, Interesting

    How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?

  2. notify the government? How about us? by Thornburg · · Score: 4, Interesting

    So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.

    TFA mentions "nationwide" notification, but not a timetable.

  3. sure by waddgodd · · Score: 5, Interesting

    Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?

    --
    Just because you're paranoid doesn't mean they aren't out to get you
  4. Re:notify the government? How about us? by Bios_Hakr · · Score: 4, Interesting

    Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?

    Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)

    I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.

    If they haven't collected enough evidence in 120 hours, then they should pull the plug.

    --
    I'd rather you do it wrong, than for me to have to do it at all.
  5. S.A.F.E. DATA ? by 2phar · · Score: 3, Insightful

    How about a law to require proper titles for acts instead of these stupid acronyms.

  6. Make it a legal liability by izomiac · · Score: 3, Insightful

    IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.