14 DAY TRIAL // After a series of cyber breaches in 2014 ended with private info of tens of thousands of individuals falling in the hands of cybercriminals, President Obama proposed new legislation that forces companies to report hacking of their systems to customers in no more than 30 days.
Major incidents such as the ones affecting Target at the end of 2013 and Home Depot in 2014 are just two examples that lost card data on a total of customers just shy of 100 million. In the case of Home Depot, apart from the 56 million card records exposed, 53 million email addresses were also compromised.
In the case of Target, the amount of card records extracted from its systems reached 40 million, but the total number of individuals affected was 70 million, as personal information, addresses, emails and phone numbers were also accessed.
Law already exists in some states
In a speech delivered at the Federal Trade Commission, Obama said (video available below) that he wanted the Congress to pass a law called Personal Data Notification and Protection Act, which forced US companies to inform their customers that their data was compromised as a result of a security breach within 30 days from the incident.
Such notifications are already required in some states, but not all of them have embraced such legislation and the president’s proposal aims at creating “a single, strong, national standard, so Americans know when their information has been stolen or misused,” Obama said.
In California, businesses have to notify clients of a breach involving personal information immediately after the discovery of the incident. However, the disclosure “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.”
In the state of Vermont, the legislation is stricter on this matter and requires businesses handling sensitive customer information to notify clients in case of a security breach “in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.”
The customer is oftentimes the last one to know
Obama's proposal also refers to what customer information is stored by companies, to what purpose, and how it is secured on their infrastructure.
These matters are also regulated by several states, but the president wants to establish a national standard for information protection.
In many cases, a merchant that has become the target of a cyber-attack learns from a third-party about the unauthorized intrusion on their systems, such as law enforcement, financial institutions, or even journalists.
Needless to say, customers are most of the times the last ones to learn that their private information has been exposed or stolen.
Without receiving notification as early as possible that their personal information has been stolen from the organizations responsible for keeping it safe, individuals do not have a chance to deploy measures towards protecting themselves against identity theft.
They could contact services specialized in identifying fraud attempts and potentially mitigate the problem without incurring any damages.
The same legislation pushed by Obama would make it illegal to sell customer identities to entities overseas.
Check out Barack Obama's speech (starts at minute 46, but skip to minute 51 for the cyber security stuff):
