Forgot your password?
typodupeerror
Government Privacy United States

Legislation In the Works To Require Companies To Report Privacy Breaches 62

Posted by Soulskill
from the thanks-sony dept.
An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach. "Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"
This discussion has been archived. No new comments can be posted.

Legislation In the Works To Require Companies To Report Privacy Breaches

Comments Filter:
  • Notify Customers (Score:5, Interesting)

    by KPU (118762) on Monday June 13, 2011 @04:03PM (#36428354) Homepage

    How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?

    • by Anonymous Coward
      We should require hackers to provide 48 hrs advance notice of intent to breach privacy too.
    • by Teun (17872)
      Mandatory notification of customers should be part of the bill, but not necessarily before the authorities.

      You first have to stop the breach form continuing/ recurring.

      When you are not sure on how to stop the threat from continuing there is every reason to not notify the public, notifying the authorities would be a lot safer.

      • by AK Marc (707885)

        You first have to stop the breach form continuing/ recurring.

        Why? Why would it be more important to purposefully silence an organization (or allow them to be silent when they know they shouldn't be) because they are incompetent? An organization that stops the breach faster is required to announce faster, while the incompetent ones who take longer get greater immunity from notifying people? That seems silly.

        Having the PR department notify while the IT department is working on the problem doesn't cause any delay to fixing the problem. Or are you assuming that the

        • by Teun (17872)
          I am surprised this needs expanding.

          When you notify the public you also notify the perpetrator limiting the chance of catching him.
          And in case of a serious vulnerability you potentially invite more trouble.

          Pulling the plug on the affected server is not always the best solution.

          • by AK Marc (707885)

            When you notify the public you also notify the perpetrator limiting the chance of catching him.

            You are asserting that vengeance is more important than security. I disagree.

            Pulling the plug on the affected server is not always the best solution.

            I agree. I never said it was. I said it was a guarantee of ending the breach in progress. Or do you disagree?

            You are apparently coming up with reasons to let a breach continue to occur. I think that's a horrible idea. The police don't respond to an assault with cameras and make sure they take enough pictures while it's happening to identify the perpetrator in case he flees while they try to break it up. They stop the crime

            • by Teun (17872)
              I do believe a breach should only in exceptional en well controlled cases be allowed to continue.

              But even when the breach is stopped there can be very good reasons to delay an announcement to the public until the appropriate authorities have had a fighting chance to go after the perpetrators.

      • by chill (34294)

        The authorities? You're kidding, right?

        Forget the fact that most police departments don't have the skilled personnel to deal with these sorts of things. Forget that most of them are overwhelmed with physical crimes, most of which never get solved. What makes you think any of them will have the jurisdiction to deal with anything?

        Notifying a national agency like the FBI will mostly overwhelm them. Yeah, it is great for their statistics, but lets not kid about their needing a head start. Anyone big enough

    • by jd (1658)

      It's reasonable to provide law enforcement some headstart, though not indefinite. How about a compromise? If Congress has to be informed within 48 hours, the public has to be informed within 72 hours whether or not Congress has taken action. It doesn't take a day for computer forensics teams to make backups of applicable system logs from the target, any zombies used, etc.

      I do agree that all prior breaches (well, within reason - say since 1998) should be listed to the extent that they are known. Chances are,

      • by blueg3 (192743)

        That's kind of tricky. It often can be easier to identify that there has been a potential data breach that it is to identify whether there actually was a breach and, if so, what the target was, was information was lost, and was systems were affected. It can take more than a day, on big targets, to get all of the data that may contain evidence from the targets (even after you've identified the targets). Worse, it can take a long time to identify what non-target machines were involved in the attack -- and for

  • by Thornburg (264444) on Monday June 13, 2011 @04:05PM (#36428396)

    So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.

    TFA mentions "nationwide" notification, but not a timetable.

    • by Bios_Hakr (68586) <xptical@@@gmail...com> on Monday June 13, 2011 @04:19PM (#36428552) Homepage

      Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?

      Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book) [wikipedia.org]

      I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.

      If they haven't collected enough evidence in 120 hours, then they should pull the plug.

      • Well it sounds like they are talking a data breach not a security breach. Hacker breaks into the server, prods around harmless files attempting to learn what the software setup is just looking around scoping out for his later attack, then signs off with no traces of actually gathering anything, that is one thing. Hacker downloads any CC#'s or other sensitive data, that is a data breach, and it's time to stop fscking around and cut him out and get apology notices ready ASAP.
      • That example only sort of works. The accounts and the data on those computers were work related, so the owner of the works being stolen was basically the department. And Cliff Stoll told his boss what was happening, and got permission to proceed. So this is similar to telling the customers their data is being stolen, and then asking them for permission to monitor it while it continues.
    • Agreed - even 48 hours is a bit long in today's digital world and the government would only be a middle-man to who the information needs to get to as you were saying.

      If the legislators knew anything about computers, maybe they'd do something smart like require auditing software which detects mass-retrieval of data. That way, in most instances, the leak can be detected immediately instead of potentially not at all like some companies.

      Heck - I think it would be better to require them to notify the gover
  • sure (Score:5, Interesting)

    by waddgodd (34934) on Monday June 13, 2011 @04:09PM (#36428438) Homepage Journal

    Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?

    • by TubeSteak (669689)

      Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did.

      I'm not aware of any mandatory reporting law at the Federal level.
      It seems Anonymous and LulzSec have finally lit a fire under someone who can move and shake in Washington.

      And FYI, legislation like this is usually the first in a series of bills.
      Mandatory reporting lets them see the scope of the problem and determine what can be solved at the regulatory level, as opposed to the legislative level.

    • by dkleinsc (563838)

      Bruce Schneier has written about the effectiveness of this sort of legislation before:
      http://www.schneier.com/blog/archives/2006/04/identitytheft_d.html [schneier.com]

      Without disclosure laws, there's a darn good chance that the recent Citibank and Sony breaches might never have become public. Are they perfect? No, but they're a heck of a lot better than no disclosure laws.

  • Nothing but a scapegoat to cover up intentional 'leaking' of data to the highest bidder. Then some expendable CIO will get thrown in front of the bus to 'close' the case... rinse repeat.. Just more noise.. You have no privacy

  • done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
    they're one step closer to realizing they may never have needed the aforementioned item.

    make no mistake...this law is being enacted to protect two things:
    conspicuous consumption
    and the requirement for american consumers to be both poorly educated and wanton in their purchases.

    both of these elements are cornerstones in modern american society
    upon which our class system is based and our
    • by Talderas (1212466)

      done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
        they're one step closer to realizing they may never have needed the aforementioned item.

      Well duh. If you needed the item and didn't have it you'd be dead.

      If the consumer is dead I hardly doubt that they would not be rather concerned about the loss of that particular product.

  • But you see, this requires disclosure upon "discovering" a data breach. I have a feeling a couple of smart ass lawyers and an exec could find loopholes in whatever law may get passed and possibly with some extra unintended consequences.
  • or maybe... (Score:1, Interesting)

    by ohzero (525786)
    all these assholes could just stop storing everything in cleartext, and the problem would just go away without needing to involve bureaucrats.
    • If an authorized user can decrypt the data, then a phisher or a password cracker with the authorized user's credentials can decrypt the data. Not to mention that the key has to be stored somewhere, which will be accessible to root unless it's in a HSM.

      • by blueg3 (192743)

        Which is all automated systems. In any automated system, a person with sufficient access to the system can decrypt any stored data. (If the key is offline and you have only non-automated access to the data, you can store it securely.)

    • by AK Marc (707885)
      If they stored it all encrypted, then anyone with root could decrypt it, resulting in a zero extra security for the information on a compromised system.

      Drive encryption is almost completely useless unless the system is not physically secure and the encryption was selected assuming that the system would be off when compromised and the attacker would have physical access but not OS level access as a logged in user of any kind. None of that applies to a server compromised over the network.
  • If the law is applied, what will do the governement with the tenth of notifications each days ?
  • Sure Notify the Government and turn over a copy of all the files that might of been compromised, so that they can be um closely monitored for any suspicious activity that might lead to the capture of those terrible evil hackers. Because I love the idea of the Government having all the private info I gave to some company and for the people who breached the companies security as well to have it.
  • Why not require them to take proper steps to protect the data, not some half-arsed security mirage on the cheap done by the CTO's nephew's brother's neighbor's friend fresh out of CS101? The government could even mandate the corporations hiring a bluehat to give their systems a once-over or hire convicted hackers on a work-release program (it takes a thief to catch a thief, after all) to pentest the defenses and fine if not acceptable.

    But requiring notification with today's password reuse not going to help: most people use a single master password (present company excepted), so if one account gets hacked, all of them can be considered compromised. John Doe is never going to track down all his passwords that need changing (too many services used once and forgotten, too lazy, doesn't care, etc.), if he bothers to change any of them.

    • by AK Marc (707885)

      Why not require them to take proper steps to protect the data,

      Then you'll end up with systems where people follow the rules regardless of whether the rules make sense, and in many cases the rules themselves cause more problems than they fix (HIPAA, I'm looking at you). If you just define the "bad outcome" and put a fine on that, if the fine is high enough, then those dealing with it will spend as necessary to prevent "bad outcome." It's simpler to write, understand, and enforce than to come up with a computer security code as complex as the electrical code or buildi

      • Well, I wasn't suggesting creating a "Security code handbook", even though it seems like a good idea. If that were done, however, we'd have the same security systems across companies, with likely the same bugs and faults. In an electrical code or similar, that's okay, it's not like people are going to exploit it maliciously, but in corporate security, that's like putting a neon sign "TROUBLE APPLY HERE!".
        The "require them to take proper steps" was meant to be exactly what you said: an act that says "You get

  • S.A.F.E. DATA ? (Score:4, Insightful)

    by 2phar (137027) on Monday June 13, 2011 @04:43PM (#36428822)
    How about a law to require proper titles for acts instead of these stupid acronyms.
  • by izomiac (815208) on Monday June 13, 2011 @04:54PM (#36428938) Homepage
    IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.
    • by gmhowell (26755)

      Sounds like a place where the free market might actually work. But for some reason, I doubt that the widow of the congressman from Disney would go for such a scheme.

  • If the stolen data are the encrypted database tables (e.g. of a software like EncDB [izysoftware.com]) will be required a notification to the government?

All this wheeling and dealing around, why, it isn't for money, it's for fun. Money's just the way we keep score. -- Henry Tyroon

Working...