Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/12/2015
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Obama Calls For 30-Day Breach Notification Policy For Hacked Companies

But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past year's high-profile hacks, experts say.

As part of a the runup to his State of the Union speech on Jan. 20, President Obama proposed legislation today requiring companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data.

A national breach notification law has been the subject of a fierce battle on the Hill for years to no avail, but the specter of Sony's massive and very public breach, as well as the Year of the Retailer Breach in 2014, provided a high-profile backdrop for the president's announcement. Obama's proposed Personal Data Notification and Protection Act aims to unify the differing and often confusing mix of notification laws across 48 states.

"We're introducing new legislation to create a… strong national standard so Americans know when their information has been stolen," Obama said at a Federal Trade Commission (FTC) event today in Washington. "Under the new standard we’re proposing, companies would have to notify consumers of a breach within 30 days."

The proposed 30-day policy drew mostly praise from security experts. But policy watchers say the chances of Congress ultimately passing a mandatory disclosure law appear slim, even with the Sony breach and other high-profile incidents in the past year as prime ammunition for action.

"Mandatory notification will not pass Congress automatically or quickly," says Kristen Verderame, CEO of Pondera International, a boutique consultancy that works with startups and specializes in cyber security policy. "My experience is that the same opponents will push against any legislation on this topic, as they have in the past -- despite Sony -- and corporations will continue to use the same cost/benefit analysis to determine whether and when to make the existence of a breach public."

The new Republican-majority Congress will make any mandatory rules for businesses even more difficult to pass, Verderame says. But "harmonizing" breach notification requirements could be achieved by the administration and Congress. "The exception to this may be simply harmonizing data breach notification requirements across the country so that there is one rule for companies to follow, instead of 50. The business community supports, as do I, harmonization wherever it aids compliance."

Breach notification is a delicate dance for businesses, and if there's a relatively tight deadline imposed, it's risky for them image-wise and shareholder-wise, for instance. "Having served as an exec at a Fortune 100 company, I agree with many corporates' views that, if companies are forced to announce breaches to the public on a certain timeline that may not accommodate necessary risk and preparatory analysis, more risk of harm to the company may be caused."

Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says.

"I am hopeful that we're finally at the stage where we can move some of these pieces through Congress and the administration… because we've seen a natural maturation process, with a number of different bills going through Congress," Clinton says. "We might be at the right maturation point."

Battling ID theft
Obama's proposed legislation also would criminalize "illicit overseas trade in identities," according to the White House.

In addition, the president set out related proposals for identity theft protection, announcing that JPMorgan Chase and Bank of America had teamed up with Fair Isaac Corp. (FICO) to make credit scores free to their consumer card customers. USAA and State Employees' Credit Union will do the same, and Ally Financial will make this information available to its auto loan customers, according to the White House.

"Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders," the White House said.

"The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy," Obama said at the FTC event.

Ken Levine, CEO of Digital Guardian, says the devil's in the details. "Breach notification is a good idea, depending on the definition of a breach. From a public perspective, there's always that fine line between so many breach notifications desensitizing people to the problem, or overly panicking."

[When an attacker wants nothing more than to bring ruin upon your business, you can't treat that attacker like just any criminal. Just ask Sony. Read How NOT To Be The Next Sony: Defending Against Destructive Attacks.]

Today's announcements kicked off a week of pre-State of the Union cyber security and privacy initiatives. The other initiatives being announced by the administration this week include a proposed Student Digital Privacy Act, which would ensure any data collected in education environments isn't sold to third parties for targeted advertising or other non-educational purposes; new Department of Education services to protect students' privacy, including teacher training to help protect student data; a Voluntary Code of Conduct by which utilities and related third parties would pledge to protect customers' electricity data; and Customer Privacy Bill of Rights legislation, which would ensure online consumer data collection is not abused.

And that's not all: When he visits the National Cybersecurity and Communications Integration Center tomorrow, Obama is expected to talk about beefing up cyber security information sharing between the government and private industry. The long-debated and still-stalled Cyber Intelligence Sharing and Protection Act (CISPA) will likely be front and center of that discussion. That bill aims to provide liability protection for companies that share attack intelligence, but privacy advocates aren't convinced that it would truly provide confidentiality and instead wouldn't lead to privacy-invading government monitoring.

CISPA isn't a cure-all for preventing breaches, either. "What concerns me about CISPA is that it will tempt organizations to focus on indicators of compromise and not a solid security program," says Ron Gula, CEO and CTO at Tenable Network Security. "If the government gives out a list of bad actors, organizations may feel they are doing enough -- and have invested enough -- if they don't have any evidence of those bad actors on their network." The bill wouldn't have prevented Sony's massive attack, despite pressure in Congress to pass CISPA in the wake of that breach.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
John Albertini
50%
50%
John Albertini,
User Rank: Apprentice
1/13/2015 | 9:31:59 AM
A bit loooooong
30 days?!

Don't I have a right to know immediately if my personal infoirmation has been hacked?

Why shouldn't there be a 30 MINUTE law?!!!!!!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
1/12/2015 | 6:28:24 PM
a bit late
California has had a breach notification requirement since 2003. I doubt a national version will change things much.
<<   <   Page 2 / 2
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15151
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
CVE-2019-15149
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
CVE-2019-15145
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-15146
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
CVE-2019-15147
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.