A new cybersecurity-related bill has been introduced in Congress. Or should I say, yet another cybersecurity bill. It seems like there have been a whole lot of bills being introduced but nothing seems to get passed.
The latest bill was introduced by my own state senator, Pat Toomey. It's called the Data Security and Breach Notification Act of 2012. According to the Hill, the bill will set national standards on how companies should inform consumers about data breaches when it relates to personal information. The Hill stated:
The act directs corporations, trusts, cooperatives and similar entities that retain personal information to inform the owners of that information of a breach as quickly as possible. The breached entities have to inform the owners of the breached information on the date it was accessed, the information that was stolen and how to contact the breached entity for more information. The notification can be by telephone, email or on paper.
As the Naked Security blog pointed out, this is the fourth attempt in Congress to somehow nationalize notification laws that 40 states now have in place.
It’s a good idea, if you ask me. Cybersecurity-related bills like this make more sense coming from a national level than the state level because the Internet is borderless. Laws that involve the Internet but have state borders make little sense.
The bill also makes large breaches worthy of an investigation by the FBI. According to the Naked Security blog:
If the breach impacts 10,000 or more people the organization will also be required to notify the FBI or the US Secret Service. Law enforcement agencies can request, in writing, that the organization delay notification if doing so might compromise a criminal investigation or have an impact on national security.
The downside to this bill is that there is no timetable for actually sending out those notifications. That has been one of the biggest complaints among consumers — companies learn about breaches but don’t notify consumers in a timely manner. Yes, states have notification laws, but some of those laws have loopholes built into them.
I had a conversation earlier this year with a security researcher who discovered his financial information was at risk when a bank was hacked. The bank personnel weren’t forthcoming when he asked questions and later found out on the news that the information was breached. I know companies have said they are reluctant to release any information until all the facts are in, but from the consumer point of view, the longer they are kept in the dark, the more vulnerable they feel.
Only time will tell if Toomey’s bill will gain any traction in the Senate. At some point, you have to think that one of these bills will take hold and get passed.