Government moves could force data breach confessions


Organizations in virtually all industries could soon be impacted by government moves in response to data breaches like the one that affected Target at the close of 2013.

The Federal Trade Commission has asked Congress to pass a national breach notification bill, which would require companies that have their systems compromised to alert consumer and appropriate government authorities within a specific time frame. The legislation is intended to correct a situation in which a company could withhold such information for long periods of time while it tries to resolve the problem internally, but thereby leave customers at long-term risk of identity theft and personal data compromise.

In addition, lawmakers in the State of California have been asked to approve legislation there that would ban businesses from storing certain types of customer data for long periods of time. This bill is aimed at reducing the window of risk for personal customer data.

As noted in an article at Network World, "the end result of the latest activity may not be known, but the trend is clear. High-profile data breaches are bolstering critics' arguments that government needs to step in to protect consumers."

Adding to the sense of urgency have been several recent information security studies which all agree on one point: IT security professionals all say it is a matter of when, not if, any given organization will be the victim of a cyberattack.

The article quotes Beth Givens, director of the Privacy Rights Clearinghouse, who said "We tell individuals to simply assume that your personal information is going to be compromised and to take steps to protect yourself on a daily basis. However, there is nothing any consumer could have done to prevent being affected by these breaches."

To help reduce the risk to consumers, FTC Chairwoman Edith Ramirez has asked that Congress require companies to report all data breaches. But further still, Ramirez wants the FTC to have authority to seek civil penalties "to deter unlawful conduct by companies, rulemaking authority to bolster protections and jurisdiction over non-profit entities," the article explains.

Meanwhile, in California, that proposed legislation would ban the long-term storage of personal identification numbers, social security numbers and driver license numbers. Businesses would also be required to report a data breach within 15 days, and would be liable for any and all damages suffered by consumers as a result of a breach.

Read more:
- Check out the Network World article

Related Articles:
Privacy concerns squelch student data, ed tech efforts [FierceBigData]
Target breach: Court of public opinion not as forgiving as court of law [FierceITSecurity]
Mobility, BYOD spurs $4.5B mobile security market [FierceMobileIT]