President Barack Obama delivering speech at FTC
After cyber breaches in 2014 that ended with private info of tens of thousands of individuals falling in the hands of cybercriminals, President Obama proposed new legislation that forces companies to report hacking of their systems to customers in no more than 30 days.
Major incidents such as the ones affecting Target at the end of 2013 and Home Depot in 2014 are just two that lost card data on a total of customers just shy of 100 million. In the case of Home Depot, apart from the 56 million card records exposed, 53 million email addresses were also compromised.
In the case of Target the amount of card records extracted from its systems reached 40 million, but the total number of individuals affected was 70 million, as personal information, addresses, emails and phone numbers were also accessed.
Law already exists in some states
In a speech delivered at the Federal Trade Commission Obama said (video available below) that he wanted the Congress to pass a law called Personal Data Notification and Protection Act, which forced US companies to inform their customers that their data has been compromised as a result of a security breach within 30 days from the incident.
Such notifications are required in some states, but not all of them have embraced such legislation and the president’s proposal aims at creating “a single, strong, national standard, so Americans know when their information has been stolen or misused,” Obama said.
In California,
businesses have to notify clients of a breach involving personal information immediately after the discovery of the incident. However, the disclosure “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.”
In the state of Vermont, the
legislation is stricter on this matter and requires businesses handling sensitive customer information to notify in case of a security breach “in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.”
The customer is oftentimes the last one to know
Obama's proposal also refers to what customer information is stored by companies, to what purpose and and how it is secured on their infrastructure.
These matters are also regulated by several states, but the president wants to establish a national standard for information protection.
In many cases, a merchant that has become the target of a cyber-attack learns from a third-party about the unauthorized intrusion on their systems, such as law enforcement, financial institutions or even journalists.
Needless to say that customers are most of the times the last ones to learn that their private information has been exposed or stolen.
Without receiving notification as early as possible that their personal information has been stolen from the organizations responsible for keeping them safe, individuals do not have a chance to deploy measure towards protecting themselves against identity theft risk.
They could contact services specialized in identifying fraud attempts and potentially mitigate the problem without incurring any damages.
The same legislation pushed by Obama would make illegal selling customer identities to entities overseas.
Check out Barack Obama's speech (starts at minute 46, but skip to minute 51 for the cyber security stuff):
Comments
Post a Comment