With each new day bringing news of another intrusion at a high-profile company or government agency, lawmakers are considering a number of legislative responses to the problem, including a potential bill that would require companies to report breaches within 48 hours and establish penalties for companies that fail to do so.
The draft bill is being circulated by Rep. Mary Bono Mack (R-Calif.) and it is one of a couple of potential legislative remedies that Congress will be considering in the coming months. Mack’s draft bill comprises a number of components, but the most noteworthy bit is the requirement for organizations that suffer a data breach to notify the Federal Trade Commission and customers within 48 hours of discovering and assessing a breach.
“You shouldn’t have
to cross your fingers and whisper a prayer when you type in a credit
card number on your computer and hit ‘enter.’ E-commerce is a vital and
growing part of our economy. We should take steps to embrace and
protect it – and that starts with robust cyber security,” Mack said in a statement about the bill, which is currently in discussion draft form. “Most importantly, consumers have a right to know when their
personal information has been compromised, and companies and other
organizations have an overriding responsibility to promptly alert them.”
The Subcommittee on Commerce, Manufacturing and Trade will conduct a hearing on the bill, known as the Secure and Fortify Data Act (SAFE Data Act), on Wednesday at 10 a.m.
Mack’s proposed legislation also would require that non-commercial organizations such as non-profits and universities comply with the breach-notification law, as well.
In addition to the proposed SAFE Data Act, Congress currently has a second proposed breach-notification law in front of it. The White House last month sent Congress a cybersecurity legislation package that also includes a national data-breach notification bill. That bill is still making its way through the legislative process, but in an interview recently, Howard Schmidt, White House cybersecurity coordinator, said that he feels good about its prospects for passing.
“Well, we feel very positive about it. As you know, that was part of the
proposed legislation in having this national data breach, and it does a
couple things. One, it really sets an environment where people would
have a better understanding exactly what their rights are under a
national law as opposed to where the data was hosted and some of the
things that they have to try to identify themself with the, I think,
around 47 different data breach notification laws across the states who
basically have done a great job in helping to protect consumers, but it
still is somewhat confusing because of the very nature of the technology
and the way it works,” Schmidt said.
“The second piece of it, when we start looking at
companies that have to deal with this, they – companies have become a
victim, which then ultimately becomes a requirement to have data breach
notifications of the end users.”
The legislative push comes at a time
when high-profile breaches are in the headlines virtually every day of
the week. Recent major attacks against Epsilon, RSA, Sony, Citigroup,
the U.S. Senate and the International Monetary Fund have brought the
problem of targeted attacks against data-rich organizations out of the
security community and into the national discussion. Lawmakers and regulators have begun to sit up and take notice of the issue, and it looks likely that some form of national mandatory notification law will be passed in the next few months.