Senators Again Propose National Breach Notification Law

Photo: alchemist_x, via Flickr/CC
A trio of Democratic Senators is attempting to catapult Congress into the information security era by pushing for passage of a U.S. national data breach notification law.
See Also: Ransomware: The Look at Future Trends
Sen. Bill Nelson of Florida, the top Democrat on the Senate Commerce Committee, on Thursday announced a bill, dubbed the Data Security and Breach Notification Act. Many other similar bills introduced earlier have failed to advance.
The data breach notification measure would give companies a maximum of 30 days to notify victims and authorities after they discover a data breach. The bill also would make it a crime – punishable by up to five years in prison – to knowingly conceal a breach. Nelson’s bill is being co-sponsored by two fellow Democratic committee members, Sen. Richard Blumenthal of Connecticut and Tammy Baldwin of Wisconsin. It would not supersede HIPAA’s breach notification rule for the healthcare sector or the cybersecurity requirements of the Gramm-Leach-Bliley Act for the financial sector.
The Data Security and Breach Notification Act.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson says. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
The bill represents a repeat play by Nelson, who introduced the same legislation last year. This year, however, the proposed legislation comes on the heels of ride-sharing firm Uber on Nov. 21 warning that it suffered a breach that exposed personal information for 57 million of its riders and drivers.
The company concealed the breach for a year. Uber CEO Dara Khosrowshahi, who joined the company in early September, also waited until two months after he first learned of the breach to finally issue the company’s data breach notification (see Did Uber Break Breach Notification Minimum-Speed Limits?).
All previous efforts by Congress to enact national breach notification requirements have failed. Not even the massive Equifax breach appears to have swayed the majority of U.S. lawmakers to act (see Cynic’s Guide to the Equifax Breach: Nothing Will Change).
很多即时通讯、浏览器、输入法甚至壁纸和桌面主题等软件都会悄悄记录电脑击键,互联网厂家侵犯除了会用户的隐私,还可能保护不好这些敏感数据,进而让不良的或大意的员工泄露它们,或让黑客窃取它们。
Breach Forecast: Bad, Becoming Worse
The data breach forecast is clear: Things are only going to get worse, fueled by cloud services, organizations gathering and storing the maximum amount of people’s personal information they can get their hands on – and never deleting it – as well as a widespread “lack of accountability” whenever anything goes wrong, Australian data breach expert Troy Hunt told a House Committee on Energy and Commerce subcommittee at a Thursday hearing (see 2017: ‘Year of the Breach’ Redux?).
“The industry has created a ‘perfect storm’ for data exposure,” Hunt said. “The rapid emergence of cheap, easily accessible cloud services has accelerated the growth of other online services collecting data. Further to that, the rapidly emerging internet of things is enabling us to digitize all new classes of information, thus exposing them to the risk of a data breach.”
Troy Hunt addresses a House Committee on Energy and Commerce subcommittee during a Nov. 30 hearing on “Identity Verification in a Post-Breach World.”
States Take Consumer Protection Lead
网络安全宣传——保护信息设备资产安全
So far, Congress has failed to pass any law requiring businesses and other organizations to warn consumers when they lose control of people’s personal information, except in the case of health data breach notifications, which are required under HIPAA. Otherwise, states have taken up the consumer protection and privacy-safeguarding cause, starting with California in 2003. Since then, 47 other states as well as the District of Columbia, Guam, Puerto Rico and the Virgin Islands have passed some type of breach notification law. Only Alabama and South Dakota lack data breach notification laws (see Delaware Toughens Data Breach Notification Law).
Sen. Bill Nelson talks breach notification at a Nov. 8 Senate Commerce Committee hearing.
Various Congressional committees have approved data breach notification bills in the past. But Congressional breach notification bills, besides failing to pass, have largely also failed to pass muster with consumer protection experts. Many have been much weaker than laws already in effect in some states, including California and Massachusetts, which prescribe specific information security requirements that all organizations must put in place.
Have I Been Pwned?
Besides notification laws, grassroots efforts have also been instrumental in alerting individuals after their personal details appear to have been compromised. Hunt, for example, runs the free breach notification service Have I Been Pwned, which allows anyone to register their email address. Whenever that email address surfaces in a public data dump, the service automatically emails users to warn them (see Troy Hunt: The Delicate Balance in Data Breach Reporting).
Since launching the service four years ago, Hunt told the House subcommittee, he’s logged “more than 250 separate incidents and over 4.8 billion records.”

Such notifications, however, may come months or years after the breach occurred (see Yes, I Have Been Pwned).
“There is frequently a long lead-time – sometimes many years – between a data breach and the service owner – and those in the breach – learning of the incident,” Hunt told the House subcommittee. “We have no idea of how many incidents have already occurred but are yet to come to light.”
喜欢铤而走险的网络犯罪份子们明白:直接进行攻击很容易被追溯到源头,所以他们往往会利用跳板作为攻击者的IP来源,进而给案件的侦查带来困难和阻力,同时,他们还会尝试删除访问日志记录,以企图掩盖自己的获罪行为。

猜您喜欢

【培训案例】苏州CISA与IT审计实践研讨会圆满结束
地理位置泄漏个人信息引来窃贼
网络安全法宣传推广视频 004《网络安全法》的突出亮点
中国最牛的50所高中 大学随便挑 你在哪一所
ITAPOANFM LUCHENTOS
PCI-DSS安全意识培训