U.S. Attorney General Eric Holder Jr. has turned up the heat on Congress to pass legislation to create a national standard for notifying customers of data breaches, saying: "It is time."
Citing last year's massive data breaches at Target Corp. and Neiman Marcus Group Ltd., Holder said in a video message on Monday that lawmakers should make "a strong, national standard for quickly alerting consumers whose information may be compromised." At present, 46 states and the District of Columbia, Guam, Puerto Rico and the Virgin Islands enforce differing standards for data breach notifications, according to the National Conference of State Legislatures.
"This legislation would strengthen the Justice Department's ability to combat crime and to ensure individual privacy while bringing cybercriminals to justice," Holder said. "My colleagues and I are eager to work with members of Congress to refine and to pass this important proposal."
Holder gave few details on what he is looking for in the legislation. But he said the measure should facilitate law enforcement efforts to investigate data breaches and hold businesses accountable when hackers get access to customer information. The bill also should give companies "reasonable exemptions for harmless breaches" if they are acting responsibly, he said.
Sen. Tom Carper (D-Del.) has offered the Data Security Act in each of the past three Congresses. Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, has introduced the Personal Data Privacy and Security Act in each of the past four Congresses.
Under the Leahy bill, businesses generally would have to tell customers about a breach within 60 days of its discovery. If hackers targeted fewer than 5,000 customers, companies only would need to issue breach notification messages through the mail, telephone or email to those individuals affected by the breach. But if the breach affected more people than that, companies also would have to make public statements through the media.
The Carper measure wouldn't specify when and how businesses should inform customers of breaches; it would leave those details to the Federal Trade Commission and other federal agencies.
John Mulligan, Target's executive vice president and chief financial officer, said earlier this month that his company would welcome a single federal standard. Michael Kingston, senior vice president and chief information officer for Neiman Marcus, said he didn't have an opinion on the creation of a national standard. But he urged "flexibility."
Said Kingston: "I do think … these investigations, these events, are different and, on a case-by-case basis, need to be handled differently."
No comments:
Post a Comment