Federal and State Governments Respond to Recent Data Breaches and Propose New Cybersecurity Laws

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/federal-and-state-governments-responds-t-56784/

Over the past few months, major retailers and Internet content providers,
like Target and Sony, have been victims of massive cyber-attacks resulting
in the release of customer credit card data, private corporate e-mails, and
copies of major motion pictures worth millions of dollars. Just a few weeks
ago, Uber reported an attack on one if its databases that exposed
approximately 50,000 drivers’ names and license numbers. Anthem, a health
insurance plan provider, recently confirmed that its recent data breach
puts millions of people at a serious risk for identity and medical theft.

As a result of these increasing cyber-attacks, it comes as no surprise that
the public’s attention has been ever more focused on the continued
vulnerability of corporate data systems to malevolent hackers. In an
attempt to address the public’s justified concern, President Obama recently
proposed a new law that would require businesses to inform customers of
data breaches and provide private companies the opportunity to share
information with other companies and the government regarding possible
threats.

Part of the proposal, titled the Personal Data Notification & Protection
Act, would consolidate various state-level rules regarding consumer
notification into a national standard. The law would require businesses to
provide reasonable notice to customers affected by a breach within 30 days
of the breach.[1] Such a requirement would apply to situations where first
and last names are stolen in tandem with addresses, telephone numbers,
birthdates, social security numbers, or e-mails.[2]Companies may overcome
such requirements if they demonstrate to the Federal Trade Commission
(“FTC”) that additional time is necessary to prevent further breaches,
evaluate risks, or restore the integrity of the data system. Moreover, the
new federal law would permit injunctions against companies or fines, but
the largest liabilities will likely exist in civil actions between
customers, business, and payment providers.

The federal government isn’t the only one taking action as a result of the
latest increase in data breaches. In addition to the already existing New
York State Information Security Breach and Notification Act, New York
Attorney General Eric Schneiderman recently proposed many of the same
changes to cybersecurity regulations.[3]  Attorney General Schneiderman
estimates that data breaches cost New Yorkers nearly $1.37 billion in 2013
alone. Not only would the New York proposal require customer notification
in a similar manner to the federal proposal, but it would also “require
stronger technical and physical security measures for protecting
information…” Although the exact details of Schneiderman’s proposal have
not yet been released, the proposed state regulation would allegedly also
expand the definition of private information to include data such as email
address and password.

While the degree, nature, and timing of cyber-attacks are difficult to
predict, there are techniques that can be employed in order to prevent
these cyber-attacks. Employers should review their Internet security
policies and hone in on the risk factors that make them vulnerable to
Internet hackers. Irrespective of these potential changes to the data
security law, businesses should continue to improve the strength of their
data security systems. Additional steps must be taken to protect corporate
databases in order to prevent a massive amount of information from being
leaked to the general public.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!