Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

Obama Calls For 30-Day Breach Notification Policy For Hacked Companies

But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past year's high-profile hacks, experts say.

As part of a the runup to his State of the Union speech on Jan. 20, President Obama proposed legislation today requiring companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data.

A national breach notification law has been the subject of a fierce battle on the Hill for years to no avail, but the specter of Sony's massive and very public breach, as well as the Year of the Retailer Breach in 2014, provided a high-profile backdrop for the president's announcement. Obama's proposed Personal Data Notification and Protection Act aims to unify the differing and often confusing mix of notification laws across 48 states.

"We're introducing new legislation to create a… strong national standard so Americans know when their information has been stolen," Obama said at a Federal Trade Commission (FTC) event today in Washington. "Under the new standard we’re proposing, companies would have to notify consumers of a breach within 30 days."

The proposed 30-day policy drew mostly praise from security experts. But policy watchers say the chances of Congress ultimately passing a mandatory disclosure law appear slim, even with the Sony breach and other high-profile incidents in the past year as prime ammunition for action.

"Mandatory notification will not pass Congress automatically or quickly," says Kristen Verderame, CEO of Pondera International, a boutique consultancy that works with startups and specializes in cyber security policy. "My experience is that the same opponents will push against any legislation on this topic, as they have in the past -- despite Sony -- and corporations will continue to use the same cost/benefit analysis to determine whether and when to make the existence of a breach public."

The new Republican-majority Congress will make any mandatory rules for businesses even more difficult to pass, Verderame says. But "harmonizing" breach notification requirements could be achieved by the administration and Congress. "The exception to this may be simply harmonizing data breach notification requirements across the country so that there is one rule for companies to follow, instead of 50. The business community supports, as do I, harmonization wherever it aids compliance."

Breach notification is a delicate dance for businesses, and if there's a relatively tight deadline imposed, it's risky for them image-wise and shareholder-wise, for instance. "Having served as an exec at a Fortune 100 company, I agree with many corporates' views that, if companies are forced to announce breaches to the public on a certain timeline that may not accommodate necessary risk and preparatory analysis, more risk of harm to the company may be caused."

Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says.

"I am hopeful that we're finally at the stage where we can move some of these pieces through Congress and the administration… because we've seen a natural maturation process, with a number of different bills going through Congress," Clinton says. "We might be at the right maturation point."

Battling ID theft
Obama's proposed legislation also would criminalize "illicit overseas trade in identities," according to the White House.

In addition, the president set out related proposals for identity theft protection, announcing that JPMorgan Chase and Bank of America had teamed up with Fair Isaac Corp. (FICO) to make credit scores free to their consumer card customers. USAA and State Employees' Credit Union will do the same, and Ally Financial will make this information available to its auto loan customers, according to the White House.

"Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders," the White House said.

"The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy," Obama said at the FTC event.

Ken Levine, CEO of Digital Guardian, says the devil's in the details. "Breach notification is a good idea, depending on the definition of a breach. From a public perspective, there's always that fine line between so many breach notifications desensitizing people to the problem, or overly panicking."

[When an attacker wants nothing more than to bring ruin upon your business, you can't treat that attacker like just any criminal. Just ask Sony. Read How NOT To Be The Next Sony: Defending Against Destructive Attacks.]

Today's announcements kicked off a week of pre-State of the Union cyber security and privacy initiatives. The other initiatives being announced by the administration this week include a proposed Student Digital Privacy Act, which would ensure any data collected in education environments isn't sold to third parties for targeted advertising or other non-educational purposes; new Department of Education services to protect students' privacy, including teacher training to help protect student data; a Voluntary Code of Conduct by which utilities and related third parties would pledge to protect customers' electricity data; and Customer Privacy Bill of Rights legislation, which would ensure online consumer data collection is not abused.

And that's not all: When he visits the National Cybersecurity and Communications Integration Center tomorrow, Obama is expected to talk about beefing up cyber security information sharing between the government and private industry. The long-debated and still-stalled Cyber Intelligence Sharing and Protection Act (CISPA) will likely be front and center of that discussion. That bill aims to provide liability protection for companies that share attack intelligence, but privacy advocates aren't convinced that it would truly provide confidentiality and instead wouldn't lead to privacy-invading government monitoring.

CISPA isn't a cure-all for preventing breaches, either. "What concerns me about CISPA is that it will tempt organizations to focus on indicators of compromise and not a solid security program," says Ron Gula, CEO and CTO at Tenable Network Security. "If the government gives out a list of bad actors, organizations may feel they are doing enough -- and have invested enough -- if they don't have any evidence of those bad actors on their network." The bill wouldn't have prevented Sony's massive attack, despite pressure in Congress to pass CISPA in the wake of that breach.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
John Albertini
John Albertini,
User Rank: Apprentice
1/13/2015 | 9:31:59 AM
A bit loooooong
30 days?!

Don't I have a right to know immediately if my personal infoirmation has been hacked?

Why shouldn't there be a 30 MINUTE law?!!!!!!
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/12/2015 | 6:28:24 PM
a bit late
California has had a breach notification requirement since 2003. I doubt a national version will change things much.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.