Proposed law would jail execs who fail to report data breaches

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
We found out last month that Uber paid hackers $100,000 in hush money after they stole 57 million driver and rider accounts in 2016. Then, it zipped its lip on the data breach, failing to inform victimized customers and drivers for more than a year.

There was talk at the time – in our comments section at least – that somebody at Uber should face legal consequences for aiding and abetting the hackers.
You know, the criminal charge isn’t a bad idea. Of course, criminal charges could also potentially be applied to other companies whose executives might have failed to inform customers, regulators and other appropriate authorities about a breach. (Equifax comes to mind, what with its big cluster-muck of a breach, though for what it’s worth, its execs have been cleared of wrongdoing for their impeccably timed, post-breach, pre-notification stock sell-offs.)
Well, those wishing for criminal comeuppance will likely be heartened to know that the US Senate is thinking along similar lines, though more regarding the “failure to notify” transgression rather than on the “aiding and abetting” side.
通过钓鱼邮件渗透目标组织中的关键员工,比如高管,获取机密邮件内容和电脑的远程控制权限,进一步发动对其它关键人员的攻击,获得关键系统的访问权限,进而窃取情报。
A Senate bill that would make it a crime – punishable by up to five years in prison – for companies to knowingly conceal a breach of customer information has been re-introduced after failing to pass in 2015.
Senator Bill Nelson (D-FL), the top Democrat on the Senate Commerce Committee, re-introduced the bill on Thursday. He first gave this a go in 2015, when his was one of several bills put forward to protect customers from leaks. Nelson tried to pass the bill, called the Data Security and Breach Notification Act, during the last session.
The 2015 attempt failed when the Senate split over concerns regarding privacy and potential over-regulation. There were good reasons to shoot it down then, and there well might be good reasons to shoot it down this time around.
Sophos Home
Free home computer security software for all the family
Learn More
In April 2015, the Washington Post talked to privacy advocates who said that the then-current version of the bill would leave us worse off, given that it would undercut stronger state laws and kill some federal-level protections.
WashPo quoted Rep. Jan Schakowsky (D-Ill.):
Fifty-one states or territories have some sort of data protection legislation on the books. Thirty-eight would see the data protection breach notification diminished in some way because this is a pre-emption law.
She said that breach notification standards in the 2015 version of the bill hinged on actual or potential financial harms, “although many states have laws with lower thresholds for notification, such as in the event of any unauthorized access or when there is a potential risk to consumers, even if it’s not specifically financial.”
If the name of the bill sounds familiar, it’s because the Data Security and Breach Notification Act has been struggling to crawl out of the primordial legislative ooze for a long time. When senators introduced Senate Bill 3333 – the Data Security and Breach Notification Act of 2012 – it was at least the fourth attempt at passing national legislation in the US to consolidate the more than 40 different state laws that were then in place. The aim was one, single law that would simplify compliance and ensure a more uniform notification process when a breach occurs.
Even that 2012 version was a bit more watered down and less specific than the version President Obama proposed in 2011, but no matter: it didn’t go anywhere.
At any rate, Nelson says it’s high time to hold companies responsible. From his announcement about the 2017 incarnation of the act:
We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers. Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.
Besides requiring that companies quickly notify consumers of a data breach and carrying lengthy jail time for those who try to cover up breaches, the legislation also directs the Federal Trade Commission (FTC) to develop strict security standards that businesses would be required to follow to better protect consumers’ personal and financial data. It also offers incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach.
The bill would further direct the Department of Homeland Security (DHS) to set up a new federal entity to which data breaches would have to be reported if they involve:
the personal information of more than 10,000 individuals,
a database containing the personal information of more than 1 million individuals,
federal government databases, or
the personal information of federal employees or contractors known to be involved in national security or law enforcement.
The new, designated federal entity would be responsible for notifying a laundy list of other federal agencies:
US Secret Service
FBI
Federal Trade Commission (FTC)
US Postal Inspection Service, if mail fraud is involved
Attorneys general of affected states
Appropriate federal agencies for law enforcement, national security, or data security purposes
Should we hope that the new bill passes?
Maybe – but only if we see a version that improves on the state laws we now have in place. First, make the privacy advocates happy; only then will we wish the legislation godspeed.
Follow @LisaVaas
芯片国产化行业高速成长 概念后市依旧看好
近年来,针对政府、金融、交通、电力、教育、科研等领域系统的攻击数量明显上升。要想在未来的博弈游戏中取胜,各类型的组织还是得加强整体的信息安全管理。

猜您喜欢

信息安全意识教育案例之商业黑客参与搜索引擎专利大战
保密意识淡薄带来的危害,防范军事间谍
网络安全法宣传推广视频 004《网络安全法》的突出亮点
城市家庭住房消费调查 近半家庭认为城市房价高
EUPSEFR PIANOMUSICKEYBOARDS
信息安全意识教育的课题与方法