Obama Calls For 30-Day Breach Notification Policy For Hacked Companies

  /     /     /  
Publicated : 22/11/2024   Category : security


Obama Calls For 30-Day Breach Notification Policy For Hacked Companies


But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past years high-profile hacks, experts say.



As part of a the runup to his State of the Union speech on Jan. 20, President Obama proposed legislation today requiring companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data.
A national breach notification law has been the subject of a fierce battle on the Hill for years to no avail, but the specter of Sonys massive and very public breach, as well as the Year of the Retailer Breach in 2014, provided a high-profile backdrop for the presidents announcement. Obamas proposed Personal Data Notification and Protection Act aims to unify the differing and often confusing mix of notification laws across 48 states.
Were introducing new legislation to create a… strong national standard so Americans know when their information has been stolen,
Obama said
at a Federal Trade Commission (FTC) event today in Washington. Under the new standard we’re proposing, companies would have to notify consumers of a breach within 30 days.
The proposed 30-day policy drew mostly praise from security experts. But policy watchers say the chances of Congress ultimately passing a mandatory disclosure law appear slim, even with the Sony breach and other high-profile incidents in the past year as prime ammunition for action.
Mandatory notification will not pass Congress automatically or quickly, says Kristen Verderame, CEO of Pondera International, a boutique consultancy that works with startups and specializes in cyber security policy. My experience is that the same opponents will push against any legislation on this topic, as they have in the past -- despite Sony -- and corporations will continue to use the same cost/benefit analysis to determine whether and when to make the existence of a breach public.
The new Republican-majority Congress will make any mandatory rules for businesses even more difficult to pass, Verderame says. But harmonizing breach notification requirements could be achieved by the administration and Congress. The exception to this may be simply harmonizing data breach notification requirements across the country so that there is one rule for companies to follow, instead of 50. The business community supports, as do I, harmonization wherever it aids compliance.
Breach notification is a delicate dance for businesses, and if theres a relatively tight deadline imposed, its risky for them image-wise and shareholder-wise, for instance. Having served as an exec at a Fortune 100 company, I agree with many corporates views that, if companies are forced to announce breaches to the public on a certain timeline that may not accommodate necessary risk and preparatory analysis, more risk of harm to the company may be caused.
Larry Clinton, president and CEO of the Internet Security Alliance, says hes hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says.
I am hopeful that were finally at the stage where we can move some of these pieces through Congress and the administration… because weve seen a natural maturation process, with a number of different bills going through Congress, Clinton says. We might be at the right maturation point.
Battling ID theft
Obamas proposed legislation also would criminalize illicit overseas trade in identities,
according to the White House
.
In addition, the president set out related proposals for identity theft protection, announcing that JPMorgan Chase and Bank of America had teamed up with Fair Isaac Corp. (FICO) to make credit scores free to their consumer card customers. USAA and State Employees Credit Union will do the same, and Ally Financial will make this information available to its auto loan customers, according to the White House.
Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders, the White House said.
The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy, Obama said at the FTC event.
Ken Levine, CEO of Digital Guardian, says the devils in the details. Breach notification is a good idea, depending on the definition of a breach. From a public perspective, theres always that fine line between so many breach notifications desensitizing people to the problem, or overly panicking.
[When an attacker wants nothing more than to bring ruin upon your business, you cant treat that attacker like just any criminal. Just ask Sony. Read
How NOT To Be The Next Sony: Defending Against Destructive Attacks
.]
Todays announcements kicked off a week of pre-State of the Union cyber security and privacy initiatives. The other initiatives being announced by the administration this week include a proposed Student Digital Privacy Act, which would ensure any data collected in education environments isnt sold to third parties for targeted advertising or other non-educational purposes; new Department of Education services to protect students privacy, including teacher training to help protect student data; a Voluntary Code of Conduct by which utilities and related third parties would pledge to protect customers electricity data; and Customer Privacy Bill of Rights legislation, which would ensure online consumer data collection is not abused.
And thats not all: When he visits the National Cybersecurity and Communications Integration Center tomorrow, Obama is expected to talk about beefing up cyber security information sharing between the government and private industry. The long-debated and still-stalled Cyber Intelligence Sharing and Protection Act (CISPA) will likely be front and center of that discussion. That bill aims to provide liability protection for companies that share attack intelligence, but privacy advocates arent convinced that it would truly provide confidentiality and instead wouldnt lead to privacy-invading government monitoring.
CISPA isnt a cure-all for preventing breaches, either. What concerns me about CISPA is that it will tempt organizations to focus on indicators of compromise and not a solid security program, says Ron Gula, CEO and CTO at Tenable Network Security. If the government gives out a list of bad actors, organizations may feel they are doing enough -- and have invested enough -- if they dont have any evidence of those bad actors on their network. The bill wouldnt have prevented Sonys massive attack, despite pressure in Congress to pass CISPA in the wake of that breach.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies