Slashdot Mirror
Obama Proposes 30-Day Deadline For Disclosing Security Breaches
Following the string of massive data breaches at major corporations, President Obama has called for legislation that would standardize how these incidents are disclosed to the public.
"The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country. The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.
...and pretty common-sense. It will be interesting to see if this gets implemented or not.
He says as ISIS literally gets into the CENTCOM twitter account and posts military personnel's addresses/info, data from the pentagon and other bullshit
I mean come the fuck on
Data apocalypse now
This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.
Mr. Hu is not a ninja.
...and where was this nifty idea (and the free college one too, and immigration reform, etc.) during his first two years in office (when the Congress was mostly Dems)?
Why does he even bother to open his mouth now?
This law sounds good, but it doesn't have a prayer:
1: Who enforces it? Will it be as toothless as HIPAA or SOX, where the only person thrown in jail on Sarbanes-Oxley was guy who fished up one too many groupers?
2: If enforced, where is there proof that the hole was discovered, and what date? I'm sure a H-1B will be darn sure to keep mum when he/she actually found the breach in order to not be deported.
3: What is a breach? Is someone duping gold on ClicheQuest considered a breach? A warp hack? What about a web server showing the FTP server's links? The courts can be clogged for years of lawyers deliberating this... and when it comes to technical issues, courts tend to side with what side has the most lawyers.
4: What happens when a breach and trade secrets smack into each other? A court erroring one way, and businesses can have their secret sauce dumped out by clever lawyers. Another way, and every breach can be covered up as a trade secret.
5: Who is going to fund enforcement? The next President may not bother funding this endeavor.
Nice political thing... but this law is actually not going to ever see the books. We will see mandated hardware DRM stacks and health checks to make sure DRM is present on all devices before we see this on the books and actively enforced.
I wonder if it will require the same standard when the data has been breached by one of the government's letter soup agencies.
30 days is plenty of time to research, patch, test, public announce fix, make fix available.
Uh, Linux geek since 1999.
Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?
If Obama, or for that matter any leader at a time when Presidential and Congressional approval ratings are in the basement, were smart, he would
* sit down behind closed doors with leaders of both parties and major caucuses
* get a list of general things almost everyone agrees should pass in some form and for which a consensus bill can probably be reached
* quickly negotiate a broad "consensus bill" for everything in the above list
* quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard.
* hold bipartisan signing ceremonies
* ???
* PROFIT in higher approval ratings for both the White House and Congress
Okay, I was kidding about the ???/PROFIT part but those inside the beltway really do need to realize there is a lot that they do agree on and they and America are better off getting the things that need to get done done rather than sticking to their guns just to spite the other party.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Seriously.
If you can't get your own house in order, why do we expect other people to do the same.
-- Tigger warning: This post may contain tiggers! --
For those slashdotters who dont cough up the ransom fee, the New York Times should be categorically banned from a citeable source for stories pertaining to news for nerds or stuff that matters as it takes free information, namely legislation proposed by the president, and turns it into content for the cloistered elite.
http://readwrite.com/2015/01/1... for the unwashed.
I really do hope with childlike glee that this legislation becomes something but to those naysayers who insist congress or the senate will not support this legislation, you're correct. They rolled back the dodd frank act in the last omnibus spending bill, and if the historic trend of Republican shutdowns and sequesters are any indication of a future course of action, this legislation will die a quick death as well. Obama is proposing populist legislation because hes a lame duck, which is a bit of a controversial label. On the one hand, he has the power to veto bullshit from the republican party like rolling back the Affordable Care Act, but on the other it means meaningful things like banking and tax reform arent going anywhere if republicans have any say. Interestingly enough, the legislation also proposes to restrict technology companies from selling the data they collect from students who use their products and services.
Good people go to bed earlier.
Many schools have a system where students submit papers through an online submission system that checks their papers against other papers in a database for plagiarism. Personally I find it incredibly offensive and fought successfully against such a system when I was in undergrad, because it assumes that a student is guilty then runs a check to make sure he isn't.
But regardless of the ethics or morality of the process, it *relies* on the vendor profiting from each submitted paper, in that each submitted paper grows its database of papers. The database is then cross-referenced against new submitted papers to look for plagiarism.
So if companies are prohibited from profiting from the information, it may be tricky to have this business model survive.
and Car Insurance or anything else where they use it. It's an overused piece of personal information.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?
That is technically already law; the problem is there is an executive order that allows for an expanded use, which essentially turned SSN (which was only suppose to be used for Tax and SS benefits and nothing else) into a National ID number, thus leading to the problems you see with it today.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
prevent private companies from using SSNs for ID numbers, customer identification and credit granting
I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.
Will the government notify us within 30 days of using it's collection of metadeta?
the National Security Breach database has been breached. Please try again later.
Sounds like a good idea. Now, let's get the NSA and FBI to fill one of these out.
Then how about adding security to an SSN number. While certainly not foolproof or perfect they could add 2 factor auth to it. Mail everyone one of those number generating dongles that is always changing the code. Anytime you need to verify identity for credit or whatever you need the SSN and the key for it to be accepted. Now a identify thief needs to steal both your SSN number AND a device you keep on your person or hidden away at home. If said device goes missing somehow you report it stolen, they charge you $40 for a new one and we all move on with 90% less identity theft.
But these things cost money you say? How about we let the IRS roll it out. They pull $15 out of everyone's tax return and then mail them the device or require each person to pick it up at the post office.. Whatever. It would go along way to curbing the issue
This is a great idea. Once there is a working system in place to replace the current one. Until that is true, this proposal would prevent many companies from doing business and many customers from obtaining necessary services. It's a fine idea in principle; it's just those nasty details and implementation that are complicated and make this unrealistic.
I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.
You're right. As long as the UPN is used for both authentication AND authorization, then you are screwed no matter what the number actually is. The trick is to separate the two functions somehow, and will mean a fundamental shift in how things are done.
The problem in the US is that the SSN is used for both authentication and authorization, even though it was only meant for the former.
I am Slashdot. Are you Slashdot as well?
It should be more like the day they uncover it because that data has most likely been passed around the web for a good while. The last thing hackers need is another 30 days to exploit peoples data. There should be mandatory card reissues paid for by the company being hacked because it's a lot cheaper to give out some new plastic than it is to cover the lawsuits to follow.
There is still people from the Target mess that has not updated their info meaning there is still people getting scammed because of that. Forced resets would put an end to this shit. They could allow people to set up a few exceptions like house and car payments and some local stores until they get a new card. It cuts the window for hackers to sell that data.
None of the Federal Governments business. If I decide to report or not to report it's up to me. I don't recognize any government claim of authority over MY property.
Please capture snowden and prosecute/and or hang him for capital treason as an act of good faith showing the American public that snowden did act on his own and was not part of a larger conspiracy to destroy America before you prosecute Generals for pillow talk..
This is US Law. An anonymous person belongs to no country... Does not seem like anything except a means for big companies to sue security companies "Hey you found a bug that my incapable overseas staff copy-and-pasted in! You owe me 400 bars of gold-pressed latnium for damages!"
I appreciate the intent, I really do. I reality, it will be very, very difficult to right sensible rules that apply to every situation. Typically, when you think you might have been hacked, there are more questions than answers. You may never known if the intruder took any data.
Most investigations I've been involved in start with noticing something slightly odd - some non-critical machine has a file on it and we're not sure what the file is, or how it got there. It might be the installer for a Microsoft hotfix that an admin downloaded - a perfectly innocent file, just something someone forgot to delete when done, or it might be something a bad guy forgot to delete. (The typical hacker toolkits try to cover their tracks).
You investigate a bit more and find more suspicious stuff, so you become fairly convinced that a bad guy had some level of access to THIS computer. YOU might even know for sure that they had _some_ access to _this_ computer. You can never know for sure that they didn't have access to the entire network, because you can't prove a negative. You _think_ the intrusion was limited to this one machine.
Maybe you see something strange on a machine that has access to customer information. Maybe some typical Windows malware trying to send out spam. If the people running the botnet knew what machine they had infected, they could have gotten customer data. They probably didn't notice, though; they're just running spam botnet. Do you have to contact all of your customers and tell them that your Customer Service Manager's desktop had malware on it?
Typically, you KNOW that sensitive data was taken it starts showing up in public. So at what point do you contact customers?
I think that's a judgement call. It depends on both the likelihood of a leak and the type of data involved - could it do much damage, and is there anything to be done to lessen the damage? I've done it at different times depending on the data. Once, there was a small possibility that a bad guy could have accessed credit card numbers. We were 85% certain there was no bad guy, but we went ahead and called customers anyway. We called and told them "we're pretty sure there is no problem, but please look at your credit card statement and let us know if you see anything out of the ordinary". An example in the other extreme was that a bad guy could probably could have read the PHP source code of a public web site. That was much more likely, but who cares - it's mostly public anyway. I didn't hurry to notify anyone that time.
Benghazi, IRS, Veteran's Affairs, Fast And Furious.... Obama's henchmen need time to destroy evidence and get their stories straight.
So, if a company doesn't disclose a breach in 30 days, what happens? They get fined? By the government? Who gets the money? What does a punitive regulation solve? What if the company doesn't themselves find out about the breach for 30 days?
How about liability?
Say, minimum $1,000,000 per bit of personal info lost.
Oh, your corporation cant afford that? Then don't store personal data.
Could this requirement maybe be extended to large vendor zero-day vulns?
Just imagine a world where the only zeroes weren't in the second or third digits of the days-to-patch.
This shouldn't just apply to corporations. I want to know what recourse I have should my medical records or medical history be compromised.
I am Bennett Haselton! I am Bennett Haselton!
Not sure but on the back of my SSC it clearly says "Not to be used for Identification Purposes".
I am Bennett Haselton! I am Bennett Haselton!
Hell they don't even have to go that far, how about requiring the actual card be presented.
Sir how is it you are 45 years old but your SSC looks like it was printed yesterday?
I am Bennett Haselton! I am Bennett Haselton!
Another problem is that it is assigned both GEOGRAPHICALLY and CHRONOLOGICALLY. Meaning that if you know the location and date of birth, it is surprisingly easy to guess. This is especially so if you overhear any digits in the last four.
Regardless if the target is a giant corporation or a mom and pop store, the 30 day idea is likely to try and limit the financial damage once the attack is known. There are actually folks who sit and watch the underground sites who sell Credit Card information and once big lots of them go up for sale, little red flags start popping up and banks start getting notified about it.
Some folks are trying to claim how small business will be impacted by such a rule but, in my opinion, no one should be exempt from this. If you're going to get in the business of handling or processing sensitive financial data in any way, then you need to have the systems or expertise in place to make sure you're doing it correctly.
A stand alone Doctors office in small town USA has to comply with HIPPA regulations the same way their big counterparts do over at the hospital. That data is no more or less important based on the size of the business who is handling it.
I have a pessimistic view of this and suspect that many companies are hacked and just silently sit on it because - well - they don't need to tell anyone.
This sounds like a plan to bolster the US Mail system by causing 10 pounds of mail weekly to each constituent alerting them to a recent data breach. Or we'll all need fax machines with an endless spool of paper. Oh wait - it was called a ticker. "...today your account at ACME XYZ was hacked at 9:43 AM...."
If I notice that my twitter account was hacked - so that mean twitter needs to send me a letter?
This is just a show - "I am doing something about this awful data breach problem."
If there any exemptions, you can bet it won't be the "little guy" getting them. More likely the "little guy" will be the example of the consequences. After all the "little guy" makes no significant political party contributions.
Just an observation....
I would have a sig but I am too busy updating programs and restarting my computer
The original purpose of the SSN was to track individuals' accounts within the Social Security program (e.g. identification of said accounts). Authentication and authorization is a little different.
what monkeys say
I agree... the Government should provide notice within 30 days of when they've obtained my personal data without permission.
Equally and only if that is done, corporations should also let me know within 30 days when someone's obtained my personal data without permission.
E
DHS under-secretary works as strategist for Microsoft, Microsoft security chief moves to White House, White House security czar moves to DHS, DHS buys Microsoft product to run terrorist database (jeez!), Microsoft creates post of Director of Homeland Security .. no conflict of interest here :)
THis world needs to get off its ass and go kill these bastards using little girls, strapping them with explosives and blowing people up. What in the FUCK.They call themselves boko haram.
DEAD
NO ONE should be willing to live on a planet with animals worse than animals doing this.
True story...
Then again since it was an EO obama could fix that with is often mentioned Pen, he doesn't even need the phone, fat chance of that happening though.