×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Legislation In the Works To Require Companies To Report Privacy Breaches

Soulskill posted more than 2 years ago | from the thanks-sony dept.

Government 62

An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach. "Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

62 comments

Notify Customers (5, Interesting)

KPU (118762) | more than 2 years ago | (#36428354)

How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?

Re:Notify Customers (1)

Anonymous Coward | more than 2 years ago | (#36428400)

We should require hackers to provide 48 hrs advance notice of intent to breach privacy too.

Re:Notify Customers (1)

Teun (17872) | more than 2 years ago | (#36428884)

Mandatory notification of customers should be part of the bill, but not necessarily before the authorities.

You first have to stop the breach form continuing/ recurring.

When you are not sure on how to stop the threat from continuing there is every reason to not notify the public, notifying the authorities would be a lot safer.

Re:Notify Customers (1)

AK Marc (707885) | more than 2 years ago | (#36429212)

You first have to stop the breach form continuing/ recurring.

Why? Why would it be more important to purposefully silence an organization (or allow them to be silent when they know they shouldn't be) because they are incompetent? An organization that stops the breach faster is required to announce faster, while the incompetent ones who take longer get greater immunity from notifying people? That seems silly.

Having the PR department notify while the IT department is working on the problem doesn't cause any delay to fixing the problem. Or are you assuming that the company is so small that the PR and IT departments share resources?

When you are not sure on how to stop the threat from continuing there is every reason to not notify the public, notifying the authorities would be a lot safer.

What possible reason is there in not notifying the public? And everyone knows how to "stop" the breach. You pull the power cords on the affected servers. But you are apparently in favor of actively running compromised servers without notifying the public that their information is currently being stolen, rather than actually stopping the breach and dealing with the IT and PR problems it created.

Re:Notify Customers (1)

Teun (17872) | more than 2 years ago | (#36429770)

I am surprised this needs expanding.

When you notify the public you also notify the perpetrator limiting the chance of catching him.
And in case of a serious vulnerability you potentially invite more trouble.

Pulling the plug on the affected server is not always the best solution.

Re:Notify Customers (2)

AK Marc (707885) | more than 2 years ago | (#36429962)

When you notify the public you also notify the perpetrator limiting the chance of catching him.

You are asserting that vengeance is more important than security. I disagree.

Pulling the plug on the affected server is not always the best solution.

I agree. I never said it was. I said it was a guarantee of ending the breach in progress. Or do you disagree?

You are apparently coming up with reasons to let a breach continue to occur. I think that's a horrible idea. The police don't respond to an assault with cameras and make sure they take enough pictures while it's happening to identify the perpetrator in case he flees while they try to break it up. They stop the crime in progress, then worry about the rest.

Re:Notify Customers (1)

Teun (17872) | more than 2 years ago | (#36434104)

I do believe a breach should only in exceptional en well controlled cases be allowed to continue.

But even when the breach is stopped there can be very good reasons to delay an announcement to the public until the appropriate authorities have had a fighting chance to go after the perpetrators.

Re:Notify Customers (2)

chill (34294) | more than 2 years ago | (#36429368)

The authorities? You're kidding, right?

Forget the fact that most police departments don't have the skilled personnel to deal with these sorts of things. Forget that most of them are overwhelmed with physical crimes, most of which never get solved. What makes you think any of them will have the jurisdiction to deal with anything?

Notifying a national agency like the FBI will mostly overwhelm them. Yeah, it is great for their statistics, but lets not kid about their needing a head start. Anyone big enough to matter already cooperates with them first, anyway. The rest will just sit on the pile because they don't have the resources to deal with it.

Notifying *customers* is the one thing they can do that might actually make a difference.

Re:Notify Customers (1)

Teun (17872) | more than 2 years ago | (#36429798)

So you think this bill is stupid enough to relegate the solution to a local street cop.

Re:Notify Customers (2)

jd (1658) | more than 2 years ago | (#36428890)

It's reasonable to provide law enforcement some headstart, though not indefinite. How about a compromise? If Congress has to be informed within 48 hours, the public has to be informed within 72 hours whether or not Congress has taken action. It doesn't take a day for computer forensics teams to make backups of applicable system logs from the target, any zombies used, etc.

I do agree that all prior breaches (well, within reason - say since 1998) should be listed to the extent that they are known. Chances are, for a lot of that time, companies were being broken into left and right with no awareness of it whatsoever. The exception should be banks and other financial institutions, since they have been required by the busineess world to use computers for a very long time and are required to have far higher standards. For them, I'd say 1988 would be a better cutoff point.

Re:Notify Customers (2)

blueg3 (192743) | more than 2 years ago | (#36429050)

That's kind of tricky. It often can be easier to identify that there has been a potential data breach that it is to identify whether there actually was a breach and, if so, what the target was, was information was lost, and was systems were affected. It can take more than a day, on big targets, to get all of the data that may contain evidence from the targets (even after you've identified the targets). Worse, it can take a long time to identify what non-target machines were involved in the attack -- and for proper incident response, you need the data from them, too.

So I think it's tough to set a timetable, especially a short one, for reporting data breaches.

On the other hand, I think it should be mandatory to report data breaches to the public once the breach has been investigated.

They'll have to publish it in the newspaper (0)

Anonymous Coward | more than 2 years ago | (#36428364)

That'll help keep the newspapers afloat, too!

First things first (-1)

Anonymous Coward | more than 2 years ago | (#36428368)

I suggest they amend the bill to make it mandatory for companies to first post here within 48 hours of discovering a data breach.

My work here is done, thank you.

Useless (0)

Anonymous Coward | more than 2 years ago | (#36428378)

Who's going to investigate/enforce these cases? The state of California? Somehow I don't think so.

There's already private lawsuits that fit the need, including costs involved.

notify the government? How about us? (4, Interesting)

Thornburg (264444) | more than 2 years ago | (#36428396)

So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.

TFA mentions "nationwide" notification, but not a timetable.

Re:notify the government? How about us? (4, Interesting)

Bios_Hakr (68586) | more than 2 years ago | (#36428552)

Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?

Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book) [wikipedia.org]

I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.

If they haven't collected enough evidence in 120 hours, then they should pull the plug.

Re:notify the government? How about us? (1)

Riceballsan (816702) | more than 2 years ago | (#36428702)

Well it sounds like they are talking a data breach not a security breach. Hacker breaks into the server, prods around harmless files attempting to learn what the software setup is just looking around scoping out for his later attack, then signs off with no traces of actually gathering anything, that is one thing. Hacker downloads any CC#'s or other sensitive data, that is a data breach, and it's time to stop fscking around and cut him out and get apology notices ready ASAP.

Re:notify the government? How about us? (1)

martin-boundary (547041) | more than 2 years ago | (#36431544)

That example only sort of works. The accounts and the data on those computers were work related, so the owner of the works being stolen was basically the department. And Cliff Stoll told his boss what was happening, and got permission to proceed. So this is similar to telling the customers their data is being stolen, and then asking them for permission to monitor it while it continues.

Re:notify the government? How about us? (2)

CaptainPatent (1087643) | more than 2 years ago | (#36428660)

Agreed - even 48 hours is a bit long in today's digital world and the government would only be a middle-man to who the information needs to get to as you were saying.

If the legislators knew anything about computers, maybe they'd do something smart like require auditing software which detects mass-retrieval of data. That way, in most instances, the leak can be detected immediately instead of potentially not at all like some companies.

Heck - I think it would be better to require them to notify the government and their consumers within 48 hours of the breech regardless of whether or not they have detected it and subject them to a fine based on the severity of the retrieval and how detectable it should have been if it took them more than 48 hours to detect and report.

It won't stop data breeches, but it will make sure decent audit systems are in place.

Re:notify the government? How about us? (0)

Anonymous Coward | more than 2 years ago | (#36428710)

Idiotic.

Slashdot approved solution to problems: More government control.

Re:notify the government? How about us? (0)

Anonymous Coward | more than 2 years ago | (#36428806)

It appears the GP suggestion would only fine companies unable to detect massive security breeches in a timely manner giving them free choice of auditing. Are you saying that companies inept enough to not be able to detect a breech shouldn't be fined?

Re:notify the government? How about us? (1)

AK Marc (707885) | more than 2 years ago | (#36429256)

More government control is only advocated when private industry has had a chance to fix it themselves and has proven that they act in the opposite of the best interests of the public, despite requests to the contrary. Government control wasn't the first step. But it's the last when the requests for reasonable notification are ignored for decades and only getting worse.

Re:notify the government? How about us? (0)

Anonymous Coward | more than 2 years ago | (#36428828)

- It won't stop data breeches, but it will make sure decent audit systems are in place.

What do pants have to do with this?

sure (5, Interesting)

waddgodd (34934) | more than 2 years ago | (#36428438)

Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?

Re:sure (0)

Anonymous Coward | more than 2 years ago | (#36428794)

Laws are meant to make people feel good about big brother's iron grip, not to be enforced in a meaningful way.

Re:sure (1)

TubeSteak (669689) | more than 2 years ago | (#36429002)

Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did.

I'm not aware of any mandatory reporting law at the Federal level.
It seems Anonymous and LulzSec have finally lit a fire under someone who can move and shake in Washington.

And FYI, legislation like this is usually the first in a series of bills.
Mandatory reporting lets them see the scope of the problem and determine what can be solved at the regulatory level, as opposed to the legislative level.

'Privacy breaches' (1)

countertrolling (1585477) | more than 2 years ago | (#36428530)

Nothing but a scapegoat to cover up intentional 'leaking' of data to the highest bidder. Then some expendable CIO will get thrown in front of the bus to 'close' the case... rinse repeat.. Just more noise.. You have no privacy

cant they (-1)

Anonymous Coward | more than 2 years ago | (#36428532)

cant they just decide to not discover it?

Re:cant they (1)

cozzbp (1845636) | more than 2 years ago | (#36428798)

Yeah, at least until Lulzsec decides to "discover" it for them by defacing their website and posting all their company emails on their website.

something needs to be (1)

nimbius (983462) | more than 2 years ago | (#36428534)

done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
they're one step closer to realizing they may never have needed the aforementioned item.

make no mistake...this law is being enacted to protect two things:
conspicuous consumption
and the requirement for american consumers to be both poorly educated and wanton in their purchases.

both of these elements are cornerstones in modern american society
upon which our class system is based and our wealth structures maintained.

Re:something needs to be (1)

Talderas (1212466) | more than 2 years ago | (#36428732)

done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
  they're one step closer to realizing they may never have needed the aforementioned item.

Well duh. If you needed the item and didn't have it you'd be dead.

If the consumer is dead I hardly doubt that they would not be rather concerned about the loss of that particular product.

Discovery channel (1)

relikx (1266746) | more than 2 years ago | (#36428586)

But you see, this requires disclosure upon "discovering" a data breach. I have a feeling a couple of smart ass lawyers and an exec could find loopholes in whatever law may get passed and possibly with some extra unintended consequences.

Accidents? (-1)

Anonymous Coward | more than 2 years ago | (#36428592)

"The bill would require companies to dispose of old or unnecessary data, as well as notify the government within 48 hours of discovering a breach, unless the breach is an accident."

Does anyone leak customer data on purpose?

Re:Accidents? (1)

jd (1658) | more than 2 years ago | (#36428916)

Governments do that all the time. When you want to publish a statement but can't make an official announcement, you leak it to the press. Standard operating procedure.

Re:Accidents? (1)

AK Marc (707885) | more than 2 years ago | (#36429304)

If the breach was the accident, not the leak. Someone hacking your system isn't an accidental breach. Sending a mass email with all email addresses in the TO: field is a breach of security that was an accident (and has happened plenty of times). The leak is never "on purpose" but an "on purpose leak" is not the opposite of an "accidental breach."

Re:Accidents? (1)

Opportunist (166417) | more than 2 years ago | (#36432816)

Am I the only one who notices that last part as a bit ... odd?

I mean, from the point of view of someone whose data has been leaked, where is the difference between leakage due to a hacker breaking in or it being published accidentally? There is none. Some "evil" person may have it now.

From the law enforcement's point of view there is a big one. The intention is not to prosecute companies for lax security, the intention is to prosecute someone breaking into the data center of a company. Why else would there be no requirement to inform law enforcement if data had been lost accidentally?

or maybe... (1, Interesting)

ohzero (525786) | more than 2 years ago | (#36428598)

all these assholes could just stop storing everything in cleartext, and the problem would just go away without needing to involve bureaucrats.

Re:or maybe... (1)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#36428830)

If an authorized user can decrypt the data, then a phisher or a password cracker with the authorized user's credentials can decrypt the data. Not to mention that the key has to be stored somewhere, which will be accessible to root unless it's in a HSM.

Re:or maybe... (1)

blueg3 (192743) | more than 2 years ago | (#36429082)

Which is all automated systems. In any automated system, a person with sufficient access to the system can decrypt any stored data. (If the key is offline and you have only non-automated access to the data, you can store it securely.)

Re:or maybe... (1)

AK Marc (707885) | more than 2 years ago | (#36429334)

If they stored it all encrypted, then anyone with root could decrypt it, resulting in a zero extra security for the information on a compromised system.

Drive encryption is almost completely useless unless the system is not physically secure and the encryption was selected assuming that the system would be off when compromised and the attacker would have physical access but not OS level access as a logged in user of any kind. None of that applies to a server compromised over the network.

Sure Notify the Government and (1)

Dyinobal (1427207) | more than 2 years ago | (#36428628)

Sure Notify the Government and turn over a copy of all the files that might of been compromised, so that they can be um closely monitored for any suspicious activity that might lead to the capture of those terrible evil hackers. Because I love the idea of the Government having all the private info I gave to some company and for the people who breached the companies security as well to have it.

Cloak after the rain? (2)

ThunderBird89 (1293256) | more than 2 years ago | (#36428644)

Why not require them to take proper steps to protect the data, not some half-arsed security mirage on the cheap done by the CTO's nephew's brother's neighbor's friend fresh out of CS101? The government could even mandate the corporations hiring a bluehat to give their systems a once-over or hire convicted hackers on a work-release program (it takes a thief to catch a thief, after all) to pentest the defenses and fine if not acceptable.

But requiring notification with today's password reuse not going to help: most people use a single master password (present company excepted), so if one account gets hacked, all of them can be considered compromised. John Doe is never going to track down all his passwords that need changing (too many services used once and forgotten, too lazy, doesn't care, etc.), if he bothers to change any of them.

Re:Cloak after the rain? (0)

Anonymous Coward | more than 2 years ago | (#36428826)

"Proper steps" as defined by whom?

What are small companies [that cannot afford to hire a penetration tester] to do?

The government already has a system in place to discourage system breaches: the courts. See: http://www.youtube.com/watch?v=cD0dmRJ0oWg#t=4m30s

Re:Cloak after the rain? (1)

AK Marc (707885) | more than 2 years ago | (#36429358)

Why not require them to take proper steps to protect the data,

Then you'll end up with systems where people follow the rules regardless of whether the rules make sense, and in many cases the rules themselves cause more problems than they fix (HIPAA, I'm looking at you). If you just define the "bad outcome" and put a fine on that, if the fine is high enough, then those dealing with it will spend as necessary to prevent "bad outcome." It's simpler to write, understand, and enforce than to come up with a computer security code as complex as the electrical code or building codes. Since lives aren't on the line, you don't need a national "security code handbook" that everyone has to follow, but just fine them lots when they allow a breach.

Re:Cloak after the rain? (1)

ThunderBird89 (1293256) | more than 2 years ago | (#36429538)

Well, I wasn't suggesting creating a "Security code handbook", even though it seems like a good idea. If that were done, however, we'd have the same security systems across companies, with likely the same bugs and faults. In an electrical code or similar, that's okay, it's not like people are going to exploit it maliciously, but in corporate security, that's like putting a neon sign "TROUBLE APPLY HERE!".
The "require them to take proper steps" was meant to be exactly what you said: an act that says "You get hacked, you get smacked (possibly in advance)!". I thought the context made that clear, but thanks for reinforcing my point.

Once the lobbyists get their crack at (0)

Anonymous Coward | more than 2 years ago | (#36428782)

the legislation, there will be plenty of loopholes. Such as:

* when does the clock begin, when you suspect a breach or when you've confirmed? What if you never confirm, but leave the question open indefinitely? What are the standards for confirmation?
* what about off-shoring data? Jurisdiction?

What we need are comprehensive privacy laws which place copyright for information about a particular person in the ownership of that person. When companies get their asses sued off for copyright violations they'll take data security more seriously.

S.A.F.E. DATA ? (3, Insightful)

2phar (137027) | more than 2 years ago | (#36428822)

How about a law to require proper titles for acts instead of these stupid acronyms.

Make it a legal liability (3, Insightful)

izomiac (815208) | more than 2 years ago | (#36428938)

IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.

Re:Make it a legal liability (1)

gmhowell (26755) | more than 2 years ago | (#36430360)

Sounds like a place where the free market might actually work. But for some reason, I doubt that the widow of the congressman from Disney would go for such a scheme.

Quit trying to play "economist" troll (0)

Anonymous Coward | more than 2 years ago | (#36432126)

Nobody takes you seriously. We all know you're just a piece of online trolling trash per your own admissions thereof here http://slashdot.org/comments.pl?sid=1907528&cid=34543612 [slashdot.org] because, after all, you even admit to it you trolling online trash scumbag. Fact.

new corporate data breach policy (0)

Anonymous Coward | more than 2 years ago | (#36429476)

don't ask, don't tell

Which country is this article talking about? (0)

Anonymous Coward | more than 2 years ago | (#36433312)

Next time you may want to mention the place/society/country. After reading it I can of course conclude that it might be the US but then it was already too late. I was not interested but had to read all the way to the end.

What if there is a leak of encrypted information? (1)

riky78 (2265878) | more than 2 years ago | (#36434754)

If the stolen data are the encrypted database tables (e.g. of a software like EncDB [izysoftware.com] ) will be required a notification to the government?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...