BreachExchange mailing list archives
Citi Breach Builds Momentum for Federal Data Security Standards
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 23 Jun 2011 02:42:44 -0400
http://www.insurancenetworking.com/news/insurers_cyber_crime_federal_data_standard-28225-1.html The call for a national standard for when and how banks, insurers and financial services companies must notify customers of a data breach beefs up penalties for cyber crimes by synchronizing them with other laws, such as the Racketeering Influenced and Corrupt Organizations Act. The Obama administration's push to create a national standard for when and how banks and other companies must notify customers of a data breach appears to be gaining momentum. Financial services representatives told a Senate panel on Tuesday they would support the White House’s proposal, which would, among other things, combine a patchwork of 47 state laws on the issue into a federal standard. Senate Banking Committee Chairman Tim Johnson also appeared supportive of strengthening cybersecurity laws, saying recent high profile data breaches within the financial services sector and elsewhere underscore the importance of the issue. “Breaches are disruptive and raise the potential for financial fraud, identity theft and, potentially, severe threats to our national economic security,” Johnson said. Citigroup Inc. was the most recent high-profile data breach, after it disclosed that a hacker had accessed customer information for more than 360,000 credit card accounts last month. Lawmakers have criticized Citigroup for waiting nearly a month to disclose the breach. The bank said it discovered the breach on May 10 during routine maintenance, but didn’t begin notifying customers until June 3. Sen. Robert Menendez, D-N.J., said there have been 288 publicly disclosed breaches at financial services companies in the last six years that exposed at least 83 million customer records. “I’m concerned about what are the financial institutions doing, number one, to enhance their position against cyber security attacks, and number two, when there is a breach, what are they doing in their fiduciary responsibility to notify their customers of those breaches,” said Menendez, who introduced his own cybersecurity bill earlier this month. He pressed witnesses to say whether Citi should have come forward sooner. Leigh Williams, the president of Bits, the technology policy division of the Financial Services Roundtable, said banks have a responsibility to notify customers of breaches as quickly as possible. “I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators under regulatory rules,” Williams said. “And they have a fiduciary and a business responsibility to notify customers if there is any way that the customer can begin to take action to protect themselves.” Williams said the industry has invested tens of billions of dollars in cybersecurity and is continually improving its ability to repel cyber attacks. But Marc Rotenberg, the executive director of the Electronic Privacy Information Center and a law professor at Georgetown University, said customers are seeing more and more data breach notifications. “These problems are going to get worse,” Rotenberg said. “As more sensitive data moves into the cloud, we become more dependent on electronic financial records, and more companies store vast amounts of consumer data on remote servers, the risk that personal data will be improperly disclosed or accessed will necessarily increase.” Rotenberg said any new cybersecurity legislation should apply breach notification requirements to financial institutions, require authentication techniques that reduce risk to consumers and should not preempt stronger state laws. The administration proposal, released May 12, would beef up penalties for cyber crimes by synchronizing them with other laws, such as the Racketeering Influenced and Corrupt Organizations Act, or RICO, which is often used to fight organized crime but doesn’t apply to cyber crimes. It would provide voluntary federal assistance to states and local governments to prevent cyber attacks, and would coordinate information sharing among them. It would also direct the Department of Homeland Security to identify critical infrastructure, such as electricity grids and the financial sector, and work with industries to develop cybersecurity plans. Stuart Pratt, the president and chief executive of the Consumer Data Industry Association, stressed that any legislative proposals should align with existing laws and regulations. “It is important for new laws not to impinge on frameworks of law which already establish the necessary focus on data security,” Pratt said. “Such conflicts are not inevitable and do not have to impede the passage of new cybersecurity protections.” For example, Pratt said the group favors a national breach notification standard, but said lawmakers should avoid “arbitrarily overwriting existing national standards” already in effect, such as guidance already issued by bank regulators. Williams said Bits also supported the administration’s plan. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Citi Breach Builds Momentum for Federal Data Security Standards Jake Kouns (Jun 23)