Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.
Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.
First, the definition of Personally Identifiable Information, or PII:
- Full name plus any two of the following
- Address and phone number
- Mother’s maiden name
- Month, day, and year of birth
- Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number
- Biometric data such as fingerprints, retinal scans, etc.
- Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes
- Any combination of the following
- First and last name or first initial and last name
- See item four above
- Security codes, access codes, passwords or source codes used to derive the aforementioned
The new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.
Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.
The proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.
If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.
After a data loss incident, organizations would be required to notify individuals by letter, phone or email.
Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.
States may pass laws requiring notifications to include information about identity theft/fraud prevention.
When more than 5,000 victims are involved, organizations would be required to do the following:
- Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.
- Notify all consumer credit reporting agencies of the victims within 60 days of discovery.
Businesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:
- The breach contains, or is believed to contain, PII on 5,000 or more individuals.
- The breach involves a database or network of databases that contain PII on 500,000 or more individuals.
- The breach involves a database owned by the United States government.
- The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.
Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.
The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.
Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.
Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.
It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.
Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.
Source :- http://nakedsecurity.sophos.com
- White House Seeks National Data-Breach Notification Law (informationweek.com)
- The U.S. Cyber Policy Blitz (technologyreview.in)
- White House Wants Mandatory 3-Year Sentence for Critical Infrastructure Hackers (wired.com)
- Does Obama Really Have an Internet Kill Switch? (pcworld.com)
- How security chief’s bank details leaked (theage.com.au)
- How big was the Epsilon data breach? (superconductor.voltage.com)
- Five things companies must do to protect customer data (news.consumerreports.org)
- U.S. Cybersecurity Proposal – A Plan about Plans: We Need More Action and Talent If We’re Serious about Securing Our Nation’s Data (lumension.com)
- White House Releases Cybersecurity Plans (informationweek.com)
- Is Sony Getting a Bad Rap on Its Data Breach? (pcworld.com)
Powered by Facebook Comments
Thank you..really informative!!
Thank you..really informative!!
Make sure to check back frequently 36to our site. We have tons of new information to be released, including35 details on production and setup, more artist to be announced, stories about art installations, as well as many travel options and general event news. We’ll be working nonstop to bring you a unique three-day event and this website is the official information center for all you’ll need to know about this year’s Electric Daisy Carnival. Consider this your guide to explore all the exciting things we have planed for this years festival. Use it to purchase tickets, browse maps, obtain information about the venue, and to get details about the event as they are made available. Keep checking back and stay in tune! We’ll make sure to keep you tantalized with tons of exciting updates!
Loving the information on this internet site , you have done outstanding job on the content .
hey here,pal. I was directed by one of my relatives to visit your weblog. I like the design of the site greatly. Your blog is very useful. Please keep on the good work. I absolutely will read it oftenly and tell it to my friends.
Thank you for a great post.
Hello, sry for my bad english but Ih ave observed your web site and would say that I uncover your posts great simply because they have give me new suggestions and new aspects. Thanks for this information.
I like the helpful info you provide in your articles. I will bookmark your weblog and check again here regularly. I’m quite certain I will learn many new stuff right here! Good luck for the next!
I never thought of it that way, well put!
Hey, I don’t think telling you this on your post President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act | Social Media Blog would be the ideal place however I could not locate a contact page inside your somewhat messy theme (i’m sorry). My readers used to tell me the exact same thing so I swapped over to a brand new theme from http://bit.ly/themeforests. I have only gotten kind comments ever since. Cheers, Maurice Zahnke
At last, smoonee comes up with the “right” answer!
I’m undoubtedly not too familiar with this matter but I do like to explore blogs for layout suggestions and intriguing subjects. You realistically described a matter that I commonly do not care very much about and made it particularly fascinating. This is a wonderful blog that I will take note of. I already bookmarked it for future reference. Lung Cancer Symptoms
Hi Guy, this good blogs, thanks
Amazing weblog! I dont think Ive seen all of the angles of this subject the way youve pointed them out. Youre a true star, a rock star man. Youve got so significantly to say and know so considerably about the subject that I feel you must just teach a class about it…HaHa!
Thank you for this great Blog post. Great topic to write about on my site. I might set a bookmark to your site.
My personal nephew ended up being laughing at me personally any time perusing this line about your site “
Ones the most effective!
This publish is very informative meant for the citizens in knowing all but the fantastic procedures.It is a good of all the experience in knowing around the various film actions.That is really valuable meant for the public to use our age into a fantastic way to generate it everything informative.
Incredible, that’s just what I was searching for! You just spared me alot of digging around
This is a good blog. Keep up all the work. I too love blogging and expressing my opinions. Thanks
thanks !! very helpful post!
Great beat ! I would like to apprentice while you amend your website, how could i subscribe for a blog website? The account aided me a applicable deal. I were tiny bit acquainted of this your broadcast provided shiny clear idea