BreachExchange mailing list archives
New-But-Old US Bill Introduces Prison Time for Execs Who Conceal Data Breaches
From: Destry Winant <destry () riskbasedsecurity com>
Date: Sat, 2 Dec 2017 22:03:08 -0600
https://www.bleepingcomputer.com/news/security/new-but-old-us-bill-introduces-prison-time-for-execs-who-conceal-data-breaches/ Three US senators have introduced a bill on Thursday that will make it mandatory for companies to report breaches to customers within 30 days, but also carries fines and possible prison time for execs who conceal breaches from users and authorities. The new bill is named the Data Security and Breach Notification Act and is sponsored by three Democrats —Sen. Bill Nelson (Florida), Sen. Richard Blumenthal (Connecticut), and Sen. Tammy Baldwin (Wisconsin). Not the first time senators try to regulate breach disclosure This is the second time a bill with this name has been introduced. Four senators, including Nelson, tried to push a previous version of this bill in 2014, during the Obama administration, but failed to get the support they needed. The 2014 bill came shortly after the Target and Neiman Marcus breaches, and its main objective was to force companies to store data in a more secure manner and ensure all customers receive breach notifications in due time. This new bill comes as a response to the recent Uber debacle, where the company paid $100,000 as hush money to two hackers to keep quiet about a security incident that took place in late 2016. The company came clean about the breach a year later, after a change in management, revealing that hackers stole details for almost 57 million drivers and customers. Execs who hide breaches risk going to prison The new Data Security and Breach Notification Act includes verbiage that will fine company execs if they intentionally conceal a breach, punishing culprits with fines and a prison sentence of up to five years. But this is not the bill's main purpose, even if some users would find comfort that some overly-paid executives will see the inside of a jail cell if they screw up. The bill's main purpose is to homogenize data breach notification laws across US states. Currently, each US state forces companies to disclose breaches in a different manner, while some states don't even have such laws in the first place. The new federal-level Data Security and Breach Notification Act will require companies to notify customers of security breaches in no more than 30 days after the breach took place, and also directs the Federal Trade Commission (FTC) to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses who adopt new technologies that make consumer data unusable or unreadable if stolen during a breach. "The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage," said Senator Baldwin, one of the bill's co-sponsors. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- New-But-Old US Bill Introduces Prison Time for Execs Who Conceal Data Breaches Destry Winant (Dec 04)