There is a new proposal before Congress that outlines a reporting process for any company that processess electronic data. The proposal outlines that any firm who experiences a major breach must report it to the federal authorities before notifying consumers. Failing to do so could amount to financial penalties and/or jail time.
The Republican-backed bill would require “whoever owns or possesses data in electronic form” that contains personally identifiable information–such as a person’s name, Social Security number or date of birth–to inform the U.S. Secret Service or the FBI within two weeks of discovering a “major breach.”
Those law enforcement agencies could then decide to delay notification to consumers by as much as 30 days, if they determine that disclosure would harm criminal investigations or national security.
Maybe I’m just overly paranoid but, my natural distrust is screaming for attention here. A major breach is defined as being any incident that affects 10,000 or more people. The rationale for this is that there are not enough controls in place to help protect consumers from phishers and the like. While I will readily agree that more has to be done on this front I do not necessarily agree that thie bill, the Cybersecurity Enhancement and Consumer Data Protection Act, will get us there.
Susanna Montezemolo, a policy analyst for the Consumers Union, urged politicians to “tread carefully” on the latest proposal. The legislation does not address some of the broader consumer protection issues, such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said.
I guess I have a hard time believing bearing in mind recent disclosures that the NSA is harvesting phone calls from regular Americans. The penalties for computer related crimes is proposed to be dramatically raised.
For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison–rather than the existing maximum of 10-year to 20-year sentences. That move received the Justice Department’s endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee.
[tags]Identity Theft, Congress, DOJ, FTC, Bush[/tags]