BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Revamped Data Breach Law Could Exclude Minor Attacks

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 5 May 2015 19:14:27 -0600
http://www.pymnts.com/news/2015/revamped-data-breach-law-could-exclude-minor-attacks/#.VUj0kPlViko

Under newly prosed legislation as part of the data breach notification law
Congress is looking to put in place, companies wouldn’t have to reveal
minor cybersecurity breaches, The Wall Street Journal reported.

While the initial proposal cast a wider security scope over breaches, as it
would require U.S. businesses to notify customers within 30 days after a
confirmed data breach if their data might have been compromised by it, this
new proposal would allow companies to determine if it’s worth notifying
customers, depending on the scope of the breach. If there is reason to
believe the breach would lead to identity theft or fraud, the companies are
obligated to report the attack, but for breaches that are more low profile,
the new bill would allow companies to keep the breach hidden.

According to a statement relayed on behalf of a spokesman for U.S. Rep.
Marsha Blackburn (R—Tennessee), “too much notification undercuts the value
of useful notification.” Blackburn was one of the sponsors of the proposed
bill. Because the purpose of the bill is to protect consumers from ID theft
and payment fraud, breaches that do not fall within that type of
larger-scope breach would be able to be cast aside and dealt with by the
company, Blackburn’s spokesman said.

Gerald Ferguson, a privacy attorney at Baker & Hostetler, told the WSJ that
while the standard “would lead to less notifications,” it also opens up the
gateway for companies to make their own decisions on data breaches. This
could make the process more convoluted as he suggested that “when
[companies] are starting to do a risk of harm analysis there is a lot of
discretion.”

But that discretion may be good for the industry, said one technology law
specialist, as it would enable companies to choose how, or when, they want
to notify their customers. This could allow for companies to deal with the
breach notifications in a lower profile manner so unnecessary fear is not
created among consumers who may worry their personal information has been
compromised.

“Companies would benefit from reduced demands on compliance functions,”
Daren Orzechowski, a technology law specialist at White & Case, told WSJ.
“It would allow companies to focus more on addressing the breach rather
than running through volumes of statutes.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: