Legislation In the Works To Require Companies To Report Privacy Breaches

An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach. "Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"

Notify Customers

[KPU]

How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?

Re:

[Anonymous Coward]

We should require hackers to provide 48 hrs advance notice of intent to breach privacy too.

Re:

[Teun]

Mandatory notification of customers should be part of the bill, but not necessarily before the authorities.

You first have to stop the breach form continuing/ recurring.

When you are not sure on how to stop the threat from continuing there is every reason to not notify the public, notifying the authorities would be a lot safer.

Re:

[AK Marc]

You first have to stop the breach form continuing/ recurring.

Why? Why would it be more important to purposefully silence an organization (or allow them to be silent when they know they shouldn't be) because they are incompetent? An organization that stops the breach faster is required to announce faster, while the incompetent ones who take longer get greater immunity from notifying people? That seems silly.

Having the PR department notify while the IT department is working on the problem doesn't cause any delay to fixing the problem. Or are you assuming that the

Re:

[Teun]

I am surprised this needs expanding.

When you notify the public you also notify the perpetrator limiting the chance of catching him.
And in case of a serious vulnerability you potentially invite more trouble.

Pulling the plug on the affected server is not always the best solution.

Re:

[AK Marc]

When you notify the public you also notify the perpetrator limiting the chance of catching him.

You are asserting that vengeance is more important than security. I disagree.

Pulling the plug on the affected server is not always the best solution.

I agree. I never said it was. I said it was a guarantee of ending the breach in progress. Or do you disagree?

You are apparently coming up with reasons to let a breach continue to occur. I think that's a horrible idea. The police don't respond to an assault with cameras and make sure they take enough pictures while it's happening to identify the perpetrator in case he flees while they try to break it up. They stop the crime

Re:

[Teun]

I do believe a breach should only in exceptional en well controlled cases be allowed to continue.

But even when the breach is stopped there can be very good reasons to delay an announcement to the public until the appropriate authorities have had a fighting chance to go after the perpetrators.

Re:

[chill]

The authorities? You're kidding, right?

Forget the fact that most police departments don't have the skilled personnel to deal with these sorts of things. Forget that most of them are overwhelmed with physical crimes, most of which never get solved. What makes you think any of them will have the jurisdiction to deal with anything?

Notifying a national agency like the FBI will mostly overwhelm them. Yeah, it is great for their statistics, but lets not kid about their needing a head start. Anyone big enough

Re:

[Teun]

So you think this bill is stupid enough to relegate the solution to a local street cop.

Re:

[chill]

I have faith in Congress. :-)

Re:

[AHuxley]

Your local police would be hooked into a http://en.wikipedia.org/wiki/Fusion_center [wikipedia.org] (or more) in most states. A report of hacking would be useful as it would add to the need for more cyber funding.
The fusion networks have connections to the DHS, NSA, mil ect.

Re:

[jd]

It's reasonable to provide law enforcement some headstart, though not indefinite. How about a compromise? If Congress has to be informed within 48 hours, the public has to be informed within 72 hours whether or not Congress has taken action. It doesn't take a day for computer forensics teams to make backups of applicable system logs from the target, any zombies used, etc.

I do agree that all prior breaches (well, within reason - say since 1998) should be listed to the extent that they are known. Chances are,

Re:

[blueg3]

That's kind of tricky. It often can be easier to identify that there has been a potential data breach that it is to identify whether there actually was a breach and, if so, what the target was, was information was lost, and was systems were affected. It can take more than a day, on big targets, to get all of the data that may contain evidence from the targets (even after you've identified the targets). Worse, it can take a long time to identify what non-target machines were involved in the attack -- and for

notify the government? How about us?

[Thornburg]

So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.

TFA mentions "nationwide" notification, but not a timetable.

Re:notify the government? How about us?

[Bios_Hakr]

Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?

Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book) [wikipedia.org]

I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.

If they haven't collected enough evidence in 120 hours, then they should pull the plug.

Re:

[Riceballsan]

Well it sounds like they are talking a data breach not a security breach. Hacker breaks into the server, prods around harmless files attempting to learn what the software setup is just looking around scoping out for his later attack, then signs off with no traces of actually gathering anything, that is one thing. Hacker downloads any CC#'s or other sensitive data, that is a data breach, and it's time to stop fscking around and cut him out and get apology notices ready ASAP.

Re:

[martin-boundary]

That example only sort of works. The accounts and the data on those computers were work related, so the owner of the works being stolen was basically the department. And Cliff Stoll told his boss what was happening, and got permission to proceed. So this is similar to telling the customers their data is being stolen, and then asking them for permission to monitor it while it continues.

Re:

[CaptainPatent]

Agreed - even 48 hours is a bit long in today's digital world and the government would only be a middle-man to who the information needs to get to as you were saying.

If the legislators knew anything about computers, maybe they'd do something smart like require auditing software which detects mass-retrieval of data. That way, in most instances, the leak can be detected immediately instead of potentially not at all like some companies.

Heck - I think it would be better to require them to notify the gover

Re:

[AK Marc]

More government control is only advocated when private industry has had a chance to fix it themselves and has proven that they act in the opposite of the best interests of the public, despite requests to the contrary. Government control wasn't the first step. But it's the last when the requests for reasonable notification are ignored for decades and only getting worse.

sure

[waddgodd]

Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?

Re:

[TubeSteak]

Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did.

I'm not aware of any mandatory reporting law at the Federal level.
It seems Anonymous and LulzSec have finally lit a fire under someone who can move and shake in Washington.

And FYI, legislation like this is usually the first in a series of bills.
Mandatory reporting lets them see the scope of the problem and determine what can be solved at the regulatory level, as opposed to the legislative level.

Re:

[waddgodd]

Sarbanes-Oxley for starters.... http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act [wikipedia.org]

Re:

[dkleinsc]

Bruce Schneier has written about the effectiveness of this sort of legislation before:
http://www.schneier.com/blog/archives/2006/04/identitytheft_d.html [schneier.com]

Without disclosure laws, there's a darn good chance that the recent Citibank and Sony breaches might never have become public. Are they perfect? No, but they're a heck of a lot better than no disclosure laws.

'Privacy breaches'

[countertrolling]

Nothing but a scapegoat to cover up intentional 'leaking' of data to the highest bidder. Then some expendable CIO will get thrown in front of the bus to 'close' the case... rinse repeat.. Just more noise.. You have no privacy

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Talderas]

done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
  they're one step closer to realizing they may never have needed the aforementioned item.

Well duh. If you needed the item and didn't have it you'd be dead.

If the consumer is dead I hardly doubt that they would not be rather concerned about the loss of that particular product.

Discovery channel

[relikx]

But you see, this requires disclosure upon "discovering" a data breach. I have a feeling a couple of smart ass lawyers and an exec could find loopholes in whatever law may get passed and possibly with some extra unintended consequences.

Re:

[jd]

Governments do that all the time. When you want to publish a statement but can't make an official announcement, you leak it to the press. Standard operating procedure.

Re:

[AK Marc]

If the breach was the accident, not the leak. Someone hacking your system isn't an accidental breach. Sending a mass email with all email addresses in the TO: field is a breach of security that was an accident (and has happened plenty of times). The leak is never "on purpose" but an "on purpose leak" is not the opposite of an "accidental breach."

Re:

[Opportunist]

Am I the only one who notices that last part as a bit ... odd?

I mean, from the point of view of someone whose data has been leaked, where is the difference between leakage due to a hacker breaking in or it being published accidentally? There is none. Some "evil" person may have it now.

From the law enforcement's point of view there is a big one. The intention is not to prosecute companies for lax security, the intention is to prosecute someone breaking into the data center of a company. Why else would there

or maybe...

[ohzero]

all these assholes could just stop storing everything in cleartext, and the problem would just go away without needing to involve bureaucrats.

Re:

[Beryllium Sphere(tm)]

If an authorized user can decrypt the data, then a phisher or a password cracker with the authorized user's credentials can decrypt the data. Not to mention that the key has to be stored somewhere, which will be accessible to root unless it's in a HSM.

Re:

[blueg3]

Which is all automated systems. In any automated system, a person with sufficient access to the system can decrypt any stored data. (If the key is offline and you have only non-automated access to the data, you can store it securely.)

Re:

[AK Marc]

If they stored it all encrypted, then anyone with root could decrypt it, resulting in a zero extra security for the information on a compromised system.

Drive encryption is almost completely useless unless the system is not physically secure and the encryption was selected assuming that the system would be off when compromised and the attacker would have physical access but not OS level access as a logged in user of any kind. None of that applies to a server compromised over the network.

and after

[e70838]

If the law is applied, what will do the governement with the tenth of notifications each days ?

Re:

[dilvish_the_damned]

If the law is applied, what will do the governement with the tenth of notifications each days ?

Get more funding.

Sure Notify the Government and

[Dyinobal]

Sure Notify the Government and turn over a copy of all the files that might of been compromised, so that they can be um closely monitored for any suspicious activity that might lead to the capture of those terrible evil hackers. Because I love the idea of the Government having all the private info I gave to some company and for the people who breached the companies security as well to have it.

Cloak after the rain?

[ThunderBird89]

Why not require them to take proper steps to protect the data, not some half-arsed security mirage on the cheap done by the CTO's nephew's brother's neighbor's friend fresh out of CS101? The government could even mandate the corporations hiring a bluehat to give their systems a once-over or hire convicted hackers on a work-release program (it takes a thief to catch a thief, after all) to pentest the defenses and fine if not acceptable.

But requiring notification with today's password reuse not going to help: most people use a single master password (present company excepted), so if one account gets hacked, all of them can be considered compromised. John Doe is never going to track down all his passwords that need changing (too many services used once and forgotten, too lazy, doesn't care, etc.), if he bothers to change any of them.

Re:

[AK Marc]

Why not require them to take proper steps to protect the data,

Then you'll end up with systems where people follow the rules regardless of whether the rules make sense, and in many cases the rules themselves cause more problems than they fix (HIPAA, I'm looking at you). If you just define the "bad outcome" and put a fine on that, if the fine is high enough, then those dealing with it will spend as necessary to prevent "bad outcome." It's simpler to write, understand, and enforce than to come up with a computer security code as complex as the electrical code or buildi

Re:

[ThunderBird89]

Well, I wasn't suggesting creating a "Security code handbook", even though it seems like a good idea. If that were done, however, we'd have the same security systems across companies, with likely the same bugs and faults. In an electrical code or similar, that's okay, it's not like people are going to exploit it maliciously, but in corporate security, that's like putting a neon sign "TROUBLE APPLY HERE!".
The "require them to take proper steps" was meant to be exactly what you said: an act that says "You get

S.A.F.E. DATA ?

[2phar]

How about a law to require proper titles for acts instead of these stupid acronyms.

Make it a legal liability

[izomiac]

IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.

Re:

[gmhowell]

Sounds like a place where the free market might actually work. But for some reason, I doubt that the widow of the congressman from Disney would go for such a scheme.

What if there is a leak of encrypted information?

[riky78]

If the stolen data are the encrypted database tables (e.g. of a software like EncDB [izysoftware.com]) will be required a notification to the government?