Slashdot Mirror

← Back to Stories (view on slashdot.org)

Obama Proposes 30-Day Deadline For Disclosing Security Breaches

Posted by Soulskill on from the assuming-you-discover-it-within-30-days dept.

Following the string of massive data breaches at major corporations, President Obama has called for legislation that would standardize how these incidents are disclosed to the public. "The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country. The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.

37 of 125 comments (clear)

  1. Not a bad idea... by notequinoxe · · Score: 2

    ...and pretty common-sense. It will be interesting to see if this gets implemented or not.

    1. Re:Not a bad idea... by jellomizer · · Score: 2, Insightful

      So how would a small company know if their data has been hacked.
      You know the ones with perhaps 1 IT guy, who mainly just installs canned software and make sure the computer works.
      The data could have been compromised for months without anyone knowing it.

      Part of the problem with the economy slow recovery is difficulty in running a business. Adding restrictions on use of technology makes it much harder.

       

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Not a bad idea... by Kierthos · · Score: 5, Informative

      It's 30 days from when it's been discovered, not when the breach actually happens. That way, if it happened months ago, and the IT guy is only detecting it now, they're not in any extra trouble for not reporting it, UNLESS they wait more than 30 days from the point of discovery.

      --
      Mr. Hu is not a ninja.
    3. Re:Not a bad idea... by ganjadude · · Score: 2

      as long as there are rules in place protecting the little guy. meaning someone with a small footprint would be exempt from these rules, meanwhile, google and apple will not. There are outfits out there that have 1 IT guy (or worse, no IT guy) that would be unjustly harmed by such rules.

      --
      have you seen my sig? there are many others like it but none that are the same
    4. Re:Not a bad idea... by khallow · · Score: 2

      And of course, they can show exactly when they discovered it. It's timestamped in the computer, right?

    5. Re:Not a bad idea... by Archangel+Michael · · Score: 3, Funny

      Thus all we need is permanent plausible deniablity.

      AND, taking notes on our current President .... Here are the stages to avoiding any responsibility for anything:

      "I found out about it the same time you did from the newspaper"

      "I am angry and am going to get to the bottom of it"

      "There is not a smidgeon of evidence..."

      "It is just a right wing conspiracy"

      "Phony Scandal"

      "Golf!"

      ????

      "Profit"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    6. Re:Not a bad idea... by Ralph+Wiggam · · Score: 2

      Emails have time stamps.

    7. Re:Not a bad idea... by blackraven14250 · · Score: 2

      This is really aimed at irresponsible behavior by large companies. Large companies are undoubtedly going to leave a massive trail of emails and tons of other proof in the wake of the discovery as they try to rectify the problem, and subpoenas will get that proof into the court system. Small companies aren't going to be worth bringing to court, since there's a decent chance that there's no real proof.

    8. Re:Not a bad idea... by Yebyen · · Score: 4, Insightful

      No! Just no!

      If you are a business in the business of making money, small or large, and you have taken my data for some business reason and are careless with it, you should be liable for whatever happens. Every time I hear about another retail company that is storing a bunch of credit cards against the law and PCI, who really doesn't need to be storing any credit card numbers at all, I say "Well no wonder. It was probably the fault of some poor overworked, underpaid IT department." Probably the sales department charged the clients not enough to cover the actual cost of operating the business, and they cut corners. You don't win bids pricing services reasonably, you have to undercut the competition!

      If you think that every company should have carte blanche to do just whatever with customer data, without regard to keeping it secure from hackers, because "computer hard, IT too expensive" then you are part of the problem. Until some of these companies that are gutted by hackers with their "secure" data splayed out all over the internet, get gutted again afterwords by regulators, or even customers leaving to hold them to account after the event, the executive suite is going to continue to place the security bulletin into the circular file and we are going to see more and more of these breaches.

      --
      Restating the obvious since nineteen aught five.
    9. Re:Not a bad idea... by jellomizer · · Score: 2

      Wow. judgemental much.

      The issue, at hand is the fact government controls are meant to try to curve the big corporations. Are often nearly impossible for small businesses to comply to.

      If you personally had my data. And your system got hacked, you will be responsible.
      So you didn't patch your servers years after a zero day, you are careless.
      How about weeks after a patch comes out.
      How about if you got hacked before a patch came out.
      Even if you do everything right you could still get hacked.

      If you are a big company, it happens, you have the money and resources to deal with it. If you are a small company and you get hacked you are screwed in all directions.

      I am not saying the rule is bad, but it needs to be made very carefully otherwise it will do more harm than good.
      As well I think the effort should still go towards the people who do the bad thing. Cut off network access, sue/jail/bomb the hackers who are actively trying to steal your data. Not punish the company for not having the worlds most harden and expectice lock on his door.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    10. Re:Not a bad idea... by SydShamino · · Score: 2

      No! Just no!

      If you are a business in the business of making money, small or large, and you have taken my data for some business reason and are careless with it, you should be liable for whatever happens.

      Isn't it amazing how businesses have managed to turn fraud - a crime perpetrated against them, for which they are responsible for preventing it, detecting it, and absorbing any losses because of it - into "identity theft", a crime for which the consequences are dumped onto a third party who has to prove his or her innocence?

      I think the corporate model now is simultaneously both "we own customer data we collected" and "the customer is responsible for his or her own data", nonsensical doublespeak designed to let them do what they want with minimal consequences.

      --
      It doesn't hurt to be nice.
    11. Re:Not a bad idea... by Culture20 · · Score: 2

      I have an email in my spam filter with a sent time of year 2060. Either it's really from the future, or email timestamps are largely worthless.

  2. Yeah, okay by Anonymous Coward · · Score: 4, Insightful

    He says as ISIS literally gets into the CENTCOM twitter account and posts military personnel's addresses/info, data from the pentagon and other bullshit

    I mean come the fuck on

    Data apocalypse now

    1. Re:Yeah, okay by RingDev · · Score: 3, Funny

      "Data apocalypse now"

      Disregarding the rest of your post for this nugget.

      The thought of a remake of Apocalypse Now as Data Apocalypse Now as a senior CIA agent is being sent into the field with some hard core MI6 bodies to capture and return a rogue agent distributing data in a "information wants to be free!" kinda zeal (only way darker). And over time, embedded with the rogue agent, after the MI6 team gets picked off or falls into a drug induced free-knowledge stupor, starts doubting his missing, maybe data does want to be free?

      The thought of a Brit with a laptop saying, "Charlie don't surf!" while browsing the web from North Korea ...

      Seriously, that could be a good movie.

      Could be. Odds are though, it would be drivel.

      -Rick

      --
      "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  3. good luck with that by Kierthos · · Score: 2

    This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.

    --
    Mr. Hu is not a ninja.
    1. Re:good luck with that by Okian+Warrior · · Score: 4, Insightful

      This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.

      Yeah, and the Democratic president waited until *after* the Democrats lost power in the legislature before proposing it.

      It almost seems - dare I say it - that both parties are against the needs of the people!

    2. Re:good luck with that by BillCable · · Score: 3, Informative

      I see the main problem being that these companies will be forced to disclose breaches while they still be in the midst of investigating and fixing them. I can see it taking more than 30 days to discover the breadth of a breach.

    3. Re:good luck with that by Kierthos · · Score: 2

      Yeah, but the way the summary is worded, it makes sense.

      IT guy discovers data breach affects customer 1-10,000.
      Within 30 days they have to notify those customers of the data breach.
      10 days into that notification process, IT guy discovers that, oh crap, customers 10,001 - 100,000 were affected.
      The 30 day timer starts for THOSE customers now.

      --
      Mr. Hu is not a ninja.
  4. where was this during his first two years? by xxxJonBoyxxx · · Score: 3, Insightful

    ...and where was this nifty idea (and the free college one too, and immigration reform, etc.) during his first two years in office (when the Congress was mostly Dems)?

    Why does he even bother to open his mouth now?

    1. Re:where was this during his first two years? by gstoddart · · Score: 3, Insightful

      Why does he even bother to open his mouth now?

      Doesn't need to worry about getting re-elected ... doesn't need to care.

      --
      Lost at C:>. Found at C.
    2. Re:where was this during his first two years? by fustakrakich · · Score: 2

      Begs the question, Is it illegal to shout 'Fore!' in a crowed theater?

      Anyway he has to say these things because he still works for the party.

      --
      “He’s not deformed, he’s just drunk!”
  5. No chance in Hell this will pass... by Anonymous Coward · · Score: 4, Interesting

    This law sounds good, but it doesn't have a prayer:

    1: Who enforces it? Will it be as toothless as HIPAA or SOX, where the only person thrown in jail on Sarbanes-Oxley was guy who fished up one too many groupers?

    2: If enforced, where is there proof that the hole was discovered, and what date? I'm sure a H-1B will be darn sure to keep mum when he/she actually found the breach in order to not be deported.

    3: What is a breach? Is someone duping gold on ClicheQuest considered a breach? A warp hack? What about a web server showing the FTP server's links? The courts can be clogged for years of lawyers deliberating this... and when it comes to technical issues, courts tend to side with what side has the most lawyers.

    4: What happens when a breach and trade secrets smack into each other? A court erroring one way, and businesses can have their secret sauce dumped out by clever lawyers. Another way, and every breach can be covered up as a trade secret.

    5: Who is going to fund enforcement? The next President may not bother funding this endeavor.

    Nice political thing... but this law is actually not going to ever see the books. We will see mandated hardware DRM stacks and health checks to make sure DRM is present on all devices before we see this on the books and actively enforced.

  6. How about a law preventing SSN use for credit/ID? by StandardCell · · Score: 4, Interesting

    Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?

  7. If Obama were smart... by davidwr · · Score: 2

    If Obama, or for that matter any leader at a time when Presidential and Congressional approval ratings are in the basement, were smart, he would

    * sit down behind closed doors with leaders of both parties and major caucuses
    * get a list of general things almost everyone agrees should pass in some form and for which a consensus bill can probably be reached
    * quickly negotiate a broad "consensus bill" for everything in the above list
    * quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard.
    * hold bipartisan signing ceremonies
    * ???
    * PROFIT in higher approval ratings for both the White House and Congress

    Okay, I was kidding about the ???/PROFIT part but those inside the beltway really do need to realize there is a lot that they do agree on and they and America are better off getting the things that need to get done done rather than sticking to their guns just to spite the other party.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:If Obama were smart... by TemporalBeing · · Score: 2

      If Obama, or for that matter any leader at a time when Presidential and Congressional approval ratings are in the basement, were smart, he would

      * sit down behind closed doors with leaders of both parties and major caucuses * get a list of general things almost everyone agrees should pass in some form and for which a consensus bill can probably be reached * quickly negotiate a broad "consensus bill" for everything in the above list * quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard. * hold bipartisan signing ceremonies * ??? * PROFIT in higher approval ratings for both the White House and Congress

      Okay, I was kidding about the ???/PROFIT part but those inside the beltway really do need to realize there is a lot that they do agree on and they and America are better off getting the things that need to get done done rather than sticking to their guns just to spite the other party.

      This is Obama you're talking about. He's not interested in anything that isn't 100% of what he wants. Reid did good in hiding that by not allowing anything through the Senate that Obama wouldn't sign; but that protection is no longer there.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    2. Re:If Obama were smart... by Obfuscant · · Score: 3, Insightful

      * quickly negotiate a broad "consensus bill" for everything in the above list

      The use of riders to attach irrelevant legislation to other stuff is already too much of a problem, you want an entire bill made up of unrelated stuff as one package?

      * quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard.

      It's nice you let them have a chance to "be heard". But consider this: the more unrelated things you put in one bucket, the more likely you are to reach a critical mass of people who object to something in that bucket and vote no just for that small part they object to. The entire bill fails for want of a smaller bucket.

    3. Re:If Obama were smart... by Jawnn · · Score: 3, Insightful

      This is the GOP you're talking about. They're not interested in anything that isn't 100% of what they want...

      TFTFY.

  8. This May Protect Cheaters by Etherwalk · · Score: 2

    Many schools have a system where students submit papers through an online submission system that checks their papers against other papers in a database for plagiarism. Personally I find it incredibly offensive and fought successfully against such a system when I was in undergrad, because it assumes that a student is guilty then runs a check to make sure he isn't.

    But regardless of the ethics or morality of the process, it *relies* on the vendor profiting from each submitted paper, in that each submitted paper grows its database of papers. The database is then cross-referenced against new submitted papers to look for plagiarism.

    So if companies are prohibited from profiting from the information, it may be tricky to have this business model survive.

    1. Re:This May Protect Cheaters by i.r.id10t · · Score: 3, Interesting

      I have issues with turnitin.com as well (and I'm a teacher and work in academic technology) but mostly because instructors/institutions can force a student to give up their intellectual property in order to support a 3rd party's business model.

      I've started adding a footer on my papers I submit as a student along the lines of "this paper is the intellectual property of i.r.id10t. any commercial use is prohibited"

      Don't think I'll ever get anywhere because of it, but at least it makes me feel half way ok for a few moments...

      --
      Don't blame me, I voted for Kodos
  9. Re:How about a law preventing SSN use for credit/I by TemporalBeing · · Score: 2

    Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?

    That is technically already law; the problem is there is an executive order that allows for an expanded use, which essentially turned SSN (which was only suppose to be used for Tax and SS benefits and nothing else) into a National ID number, thus leading to the problems you see with it today.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  10. Re:How about a law preventing SSN use for credit/I by T.E.D. · · Score: 2

    prevent private companies from using SSNs for ID numbers, customer identification and credit granting

    I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.

  11. We're sorry... by seven+of+five · · Score: 3, Funny

    the National Security Breach database has been breached. Please try again later.

  12. Good by mbone · · Score: 3, Interesting

    Sounds like a good idea. Now, let's get the NSA and FBI to fill one of these out.

  13. Re:thanks for the article. by Anonymous Coward · · Score: 2, Informative

    Say what? I read the whole article without paying any fee, or logging in, or any other nonsense. If you have cookies from NYT, delete them and try again. Better yet don't accept them in the first place.

    --

    Obama to Call for Laws Covering Data Hacking and Student Privacy

    By MICHAEL D. SHEAR and NATASHA SINGERJAN. 11, 2015

    WASHINGTON â" President Obama on Monday called for federal legislation intended to force American companies to be more forthcoming when credit card data and other consumer information are lost in an online breach like the kind that hit Sony, Target and Home Depot last year.

    The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country.

    The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an âoeearly warning systemâ for identity theft.

    âoeIf weâ(TM)re going to be connected, then we need to be protected. As Americans, we shouldnâ(TM)t have to forfeit our basic privacy when we go online to do our business,â Mr. Obama said Monday. âoeEach of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.â

    Mondayâ(TM)s announcements were part of a weeklong focus on privacy and cybersecurity by Mr. Obama ahead of his State of the Union address next week. White House officials said they expected bipartisan support for the initiatives and did not anticipate fierce opposition from industry or advocacy organizations.

    But on Capitol Hill, Mr. Obama faces a Republican-controlled Congress for the first time in his presidency. It remains unclear how quickly his adversaries in the House and the Senate will move to take up the legislation, and whether disputes in other areas could delay its consideration.

    Consumer and privacy groups have yet to see details of the presidentâ(TM)s proposals, and some remain concerned that any federal standard could be weaker than the robust state laws passed in recent years. California, for example, recently passed a state law protecting student data.

    âoeThe problem is that the effect will likely be to pre-empt the stronger state laws,â said Marc Rotenberg, the president of the Electronic Privacy Information Center, who favors disclosure faster than 30 days. âoeWe want a federal baseline, and leave the states with the freedom to establish stronger standards.â

    Chris Calabrese, the senior policy director for the Center for Democracy and Technology, said that his group had not rejected the idea of a federal law, but that it depended on how it was written. âoeThere is a lot of concern in the advocacy community about the possibility of a federal law being watered down,â Mr. Calabrese said.

    Corporate data breaches have gained urgency since attacks on Sony Pictures that officials say were done by the North Korean government. Under the proposed law, the discovery of a breach would trigger a âoe30-day shot clockâ that requires notification. The legislation clarifies when breaches must be disclosed and makes it a crime to sell a personâ(TM)s cyberinformation overseas. The Federal Trade Commission would get the power to issue penalties to companies that did not comply.

    âoeThereâ(TM)s a crazy quilt patchwork of 48 state laws, and they are in tension with each other,â said Jon Leibowitz, a partner at

  14. Re:How about a law preventing SSN use for credit/I by OzPeter · · Score: 3, Interesting

    I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.

    You're right. As long as the UPN is used for both authentication AND authorization, then you are screwed no matter what the number actually is. The trick is to separate the two functions somehow, and will mean a fundamental shift in how things are done.

    The problem in the US is that the SSN is used for both authentication and authorization, even though it was only meant for the former.

    --
    I am Slashdot. Are you Slashdot as well?
  15. Well intentioned. In reality, mostly unknowns by raymorris · · Score: 2

    I appreciate the intent, I really do. I reality, it will be very, very difficult to right sensible rules that apply to every situation. Typically, when you think you might have been hacked, there are more questions than answers. You may never known if the intruder took any data.

    Most investigations I've been involved in start with noticing something slightly odd - some non-critical machine has a file on it and we're not sure what the file is, or how it got there. It might be the installer for a Microsoft hotfix that an admin downloaded - a perfectly innocent file, just something someone forgot to delete when done, or it might be something a bad guy forgot to delete. (The typical hacker toolkits try to cover their tracks).

    You investigate a bit more and find more suspicious stuff, so you become fairly convinced that a bad guy had some level of access to THIS computer. YOU might even know for sure that they had _some_ access to _this_ computer. You can never know for sure that they didn't have access to the entire network, because you can't prove a negative. You _think_ the intrusion was limited to this one machine.

    Maybe you see something strange on a machine that has access to customer information. Maybe some typical Windows malware trying to send out spam. If the people running the botnet knew what machine they had infected, they could have gotten customer data. They probably didn't notice, though; they're just running spam botnet. Do you have to contact all of your customers and tell them that your Customer Service Manager's desktop had malware on it?

    Typically, you KNOW that sensitive data was taken it starts showing up in public. So at what point do you contact customers?

    I think that's a judgement call. It depends on both the likelihood of a leak and the type of data involved - could it do much damage, and is there anything to be done to lessen the damage? I've done it at different times depending on the data. Once, there was a small possibility that a bad guy could have accessed credit card numbers. We were 85% certain there was no bad guy, but we went ahead and called customers anyway. We called and told them "we're pretty sure there is no problem, but please look at your credit card statement and let us know if you see anything out of the ordinary". An example in the other extreme was that a bad guy could probably could have read the PHP source code of a public web site. That was much more likely, but who cares - it's mostly public anyway. I didn't hurry to notify anyone that time.

  16. To what end? by RogueWarrior65 · · Score: 2

    So, if a company doesn't disclose a breach in 30 days, what happens? They get fined? By the government? Who gets the money? What does a punitive regulation solve? What if the company doesn't themselves find out about the breach for 30 days?