Following a string of high-profile data breaches, lawmakers push (again) for federal data breach disclosure.After several large breaches -- including the Epsilon, Sony, and Citigroup incidents that left customer financial data exposed -- federal lawmakers are dusting the covers off of an old idea: national data breach notification laws.Since the inception of the California Data breach Disclosure Law, known as SB 1386, most states have since followed suit -- leaving a mishmash of data breach notification laws across the country. Proponents of a national law contend that a federal data breach disclosure standard would simplify the rules for business -- so they know exactly what events would trigger a mandate for notification. Also see: The breach goes on: Bono Mack unveils SAFE Data ActOne piece of legislation being introduced, The Data Security and Breach Notification Act of 2011 by Sen. Patrick Leahy (D-Vt.) and co-sponsored by Sen. Charles Schumer (D-N.Y.) and Ben Cardin (D-Md.) … [Read more...] about They’re back! Data breach notification bills resurface
The European Commission is examining whether additional rules are needed on personal data breach notification in the European Union.Telecoms operators and Internet service providers hold a huge amount of data about their customers, including names, addresses and bank account details. The current ePrivacy Directive requires them to keep this data secure and notify individuals if such sensitive information is lost or stolen. Data breaches must also be reported to the relevant national authority.However Digital Agenda Commissioner Neelie Kroes announced on Thursday that she was opening a public consultation to see if more regulation was needed."The duty to notify data breaches is an important part of the new E.U. telecoms rules," she said. "But we need consistency across the E.U. so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses."In May the … [Read more...] about EU considers stricter data breach notification rules
Earlier this month more than 50 companies were involved in a massive heist of names and email addresses from Epsilon Interactive. With millions of customers of companies such as Best Buy, Brookestone, Dell, Marriott and many others affected, the question is being raised: are so many breach notifications from so many companies numbing their impact?As for the breach that started it all for Epilson, it's becoming an all-too common story: employees were spear-phished with emails that linked to a malicious web site, or contained an attachment designed to infect end points with malware. Once a foothold was established, the attackers moved in on what they were after. Such attack techniques have been behind, among many other incidents, the now infamous Operation Aurora and recent RSA Security breach.The Epsilon breach is relatively tame by breach standards. As far as we know, no Social Security numbers, financial account numbers or even physical street addresses were stolen: only name, email … [Read more...] about Data breach notification fatigue: Do consumers (eventually) tune out?
After several large breaches -- including the Epsilon, Sony, and Citigroup incidents that left customer financial data exposed -- federal lawmakers are dusting the covers off of an old idea: national data breach notification laws.Since the inception of the California Data breach Disclosure Law, known as SB 1386, most states have since followed suit -- leaving a mishmash of data breach notification laws across the country. Proponents of a national law contend that a federal data breach disclosure standard would simplify the rules for business -- so they know exactly what events would trigger a mandate for notification. Also see: The breach goes on: Bono Mack unveils SAFE Data Act One piece of legislation being introduced, The Data Security and Breach Notification Act of 2011 by Sen. Patrick Leahy (D-Vt.) and co-sponsored by Sen. Charles Schumer (D-N.Y.) and Ben Cardin (D-Md.) would mandate organizations that possess personal information to put in place "reasonable" security … [Read more...] about They’re baaack! National data breach notification bills resurface
Australia's government is keeping a tight hold on proposed data breach notification legislation that could become law before a federal election in September.The country does not have a data breach notification law. Instead, the federal government recommends that organizations notify the Office of the Australian Information Commissioner (OAIC) if a breach poses a "real risk of serious harm."Earlier this month, the Attorney-General's Department privately shared a draft bill with some stakeholders that outlines the government's thoughts on data breach notification and what would be required of companies and organizations.A spokesman for the attorney general said Thursday the draft bill hasn't been publicly released. The document, titled "Exposure Draft -- Privacy Amendment (Privacy Alerts) Bill 2013," was obtained by SC Magazine but not published.However, some organizations and companies have publicly published their responses to the draft legislation. Roger Clarke, chairman of the … [Read more...] about Australia mulls data breach notification law, but details are secret
LeakedSource, a breach notification service that exposed some of 2016’s largest data breaches, might be facing a permanent shutdown.According to a forum post on a well-known marketplace, the owner of LeakedSource was raided earlier this week, although the exact details of any potential law enforcement action remains a mystery.At the start of the new year, LeakedSource indexed more than 3 billion records. Their collection is the result of information sharing between a number of sources, including those who hacked the data themselves. Access to the full archive requires a membership fee.Sometimes the data LeakedSource obtains is recent, but that isn’t always the case. There have been numerous instances where LeakedSource obtained records from a data breach long after the attack had taken place and the data was no longer useful to those who compromised it.On the OGFlip forum Thursday, a user posted vague details about the LeakedSource raid, but Salted Hash has been unable to … [Read more...] about Breach notification website LeakedSource allegedly raided
U.S. President Barack Obama will push Congress to pass a law requiring companies that are victims of data breaches to notify affected consumers within 30 days and a second law that gives consumers more control over their digital data, he said.Obama will call for a national data breach notification law and a Consumer Privacy Bill of Rights in ID theft and privacy initiatives in his State of the Union speech Jan. 20, he said Monday at the Federal Trade Commission.Neither of those proposals is a new one—the White House first called for a consumer privacy bill of rights in February 2012 and has backed a national breach notification law for years—but Congress has failed to pass those proposals. With a growing number of data breaches coming to light, it’s important for Congress to protect Internet users from a “direct threat” by hackers, Obama said.“If we’re going to be connected, then we need to be protected,” Obama said. “As Americans, … [Read more...] about Obama calls for data breach notification law, privacy bill of rights
State and federal data breach notification laws have changed and are expanding more than a little bit. CISOs and CSOs should start here to expand their knowledge of the increasingly restrictive notification requirements that apply to their organizations. State Law Status and TrendsOne challenge enterprises have faced with state data breach notification laws is the differences between the laws. "When you have an incident that affects consumers throughout the country, you have to craft a response that complies with all the state laws, which is a challenge. It's even impossible where there's an outright contradiction between two different laws," says Kristen J. Mathews, Partner, Privacy & Data Security Group, Proskauer Rose LLP.While Massachusetts' breach notification law says the letter the company sends to affected individuals cannot inform as to the nature of the breach, most states require the opposite. "The only way to comply is to have a special letter for Massachusetts. In … [Read more...] about Data breach notification laws, state and federal
We all remember from our early education learning about the three major branches of government in the US: The executive, the legislative and the judicial branches. But how does our legal system work to create privacy law for all our different business sectors?Hint.. it’s not how they do it in Europe. We begin by looking at Constitutional law. The U.S and state Constitutions are the primary source of law in America. However a state Constitution may afford more privacy protection than the broader U.S. Constitution. Enter the FIPA act of 2014 from the state of Florida. The Florida Information Protection Act. Each state has its own flavor of data privacy law if it has one at all. FIPA says, "An act relating to security of confidential personal information; providing a short title; repealing s. 4 817.5681, F.S., relating to a breach of security concerning confidential personal information in third-party possession; creating s. 501.171, F.S.; providing … [Read more...] about Florida privacy law adds breach notification and strengthens compliance
Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm's privacy and security group, stated in a recent interview that breach notifications should be delayed until all the facts are in about what was lost and who was affected. While this might be a good legal position, I'm not sure this view is shared by victims of a breach, privacy advocates, or me if the delay reaches across weeks or months.The topic of the discussion with Wolf was the potential for a U.S. Federal breach notification law and the impact on business of similar state regulations. The interview, which appeared in the December/January 2009 issue of CSO, attributes the following to Wolf:Many of the state regulators who are focusing on [timely notification] are focused on the chronological amount of time between breach and notice. I'm not sure they have a sufficient amount of knowledge of what is involved when a company needs to get its arms wrapped around a breach. Before … [Read more...] about Are state and federal breach notification mandates unreasonable?