Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Government Politics

Obama Proposes 30-Day Deadline For Disclosing Security Breaches 125

Following the string of massive data breaches at major corporations, President Obama has called for legislation that would standardize how these incidents are disclosed to the public. "The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country. The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.
This discussion has been archived. No new comments can be posted.

Obama Proposes 30-Day Deadline For Disclosing Security Breaches

Comments Filter:
  • ...and pretty common-sense. It will be interesting to see if this gets implemented or not.
    • Re: (Score:2, Insightful)

      by jellomizer ( 103300 )

      So how would a small company know if their data has been hacked.
      You know the ones with perhaps 1 IT guy, who mainly just installs canned software and make sure the computer works.
      The data could have been compromised for months without anyone knowing it.

      Part of the problem with the economy slow recovery is difficulty in running a business. Adding restrictions on use of technology makes it much harder.

       

      • Re:Not a bad idea... (Score:5, Informative)

        by Kierthos ( 225954 ) on Monday January 12, 2015 @01:59PM (#48795483) Homepage

        It's 30 days from when it's been discovered, not when the breach actually happens. That way, if it happened months ago, and the IT guy is only detecting it now, they're not in any extra trouble for not reporting it, UNLESS they wait more than 30 days from the point of discovery.

        • by khallow ( 566160 )
          And of course, they can show exactly when they discovered it. It's timestamped in the computer, right?
        • by Archangel Michael ( 180766 ) on Monday January 12, 2015 @02:17PM (#48795699) Journal

          Thus all we need is permanent plausible deniablity.

          AND, taking notes on our current President .... Here are the stages to avoiding any responsibility for anything:

          "I found out about it the same time you did from the newspaper"

          "I am angry and am going to get to the bottom of it"

          "There is not a smidgeon of evidence..."

          "It is just a right wing conspiracy"

          "Phony Scandal"

          "Golf!"

          ????

          "Profit"

        • Point of 'discovery' doesn't sound so easy to prove in court, unless it's documented I suppose. The best to thing to assume now is to assume the worst. All systems are compromised. It's just too easy to do, especially for you-know-who...

          • This is really aimed at irresponsible behavior by large companies. Large companies are undoubtedly going to leave a massive trail of emails and tons of other proof in the wake of the discovery as they try to rectify the problem, and subpoenas will get that proof into the court system. Small companies aren't going to be worth bringing to court, since there's a decent chance that there's no real proof.
        • Still in that case.
          How will you let the large small business population know about these new rules and regulation. I mean if your job isn't really It based you may not really know about this law. Then if you did, how much effort will there be in reporting. What type of backlash from a huge bureaucracy of a government to a small business who is trying to make the bills every month.

          Even if you not liable, having to go threw the process is enough to kill a small business. Then after the breach you probably w

          • by Yebyen ( 59663 ) on Monday January 12, 2015 @02:40PM (#48795969) Homepage

            No! Just no!

            If you are a business in the business of making money, small or large, and you have taken my data for some business reason and are careless with it, you should be liable for whatever happens. Every time I hear about another retail company that is storing a bunch of credit cards against the law and PCI, who really doesn't need to be storing any credit card numbers at all, I say "Well no wonder. It was probably the fault of some poor overworked, underpaid IT department." Probably the sales department charged the clients not enough to cover the actual cost of operating the business, and they cut corners. You don't win bids pricing services reasonably, you have to undercut the competition!

            If you think that every company should have carte blanche to do just whatever with customer data, without regard to keeping it secure from hackers, because "computer hard, IT too expensive" then you are part of the problem. Until some of these companies that are gutted by hackers with their "secure" data splayed out all over the internet, get gutted again afterwords by regulators, or even customers leaving to hold them to account after the event, the executive suite is going to continue to place the security bulletin into the circular file and we are going to see more and more of these breaches.

            • Wow. judgemental much.

              The issue, at hand is the fact government controls are meant to try to curve the big corporations. Are often nearly impossible for small businesses to comply to.

              If you personally had my data. And your system got hacked, you will be responsible.
              So you didn't patch your servers years after a zero day, you are careless.
              How about weeks after a patch comes out.
              How about if you got hacked before a patch came out.
              Even if you do everything right you could still get hacked.

              If you are a big co

              • by Yebyen ( 59663 )

                This whole business of patches is really nonsense, if you want my actual opinion. If your data is worth $X and you have a contract with insured software vendors that protects you from liability to exposure from information loss up to $X-N, your exposure to a loss event is $N. If you don't have such contract, your exposure is $X. That's all I'm saying.

                I know I am living in fairy dream land here, but I think it's irresponsible that basically every company it seems is taking software that they can't inspect

            • No! Just no!

              If you are a business in the business of making money, small or large, and you have taken my data for some business reason and are careless with it, you should be liable for whatever happens.

              Isn't it amazing how businesses have managed to turn fraud - a crime perpetrated against them, for which they are responsible for preventing it, detecting it, and absorbing any losses because of it - into "identity theft", a crime for which the consequences are dumped onto a third party who has to prove his or her innocence?

              I think the corporate model now is simultaneously both "we own customer data we collected" and "the customer is responsible for his or her own data", nonsensical doublespeak designed to

      • by Jawnn ( 445279 )

        So how would a small company know if their data has been hacked. You know the ones with perhaps 1 IT guy, who mainly just installs canned software and make sure the computer works. The data could have been compromised for months without anyone knowing it.

        Part of the problem with the economy slow recovery is difficulty in running a business. Adding restrictions on use of technology makes it much harder.

        Well, that's a good question, and arguably applies to companies of all sizes. And my answer is, "You'll know because you're doing the things you're supposed to be doing. You know, like employing things like SIEM, IDS, IPS, etc.

        • um why wouldn't a 1 man IT dept have the following

          1 a portable drive with the following tools
          A WSUSOFFLINE : ----- MS patches
          B NINITE PRO: most of your freeware/FOSS stuff including AcroReader and Flash
          C Some sort of basic network audit/inventory tool
          D whatever you need to check the stuff not covered
          E BAD WOLF EVENT backups of the various software bits

          2 some sort of NUKE AND PAVE disk (for when you have a BWE and need to get back up NOW)

          3 a Red Binder with everything needed to spin the business back up fro

      • by rtb61 ( 674572 )

        More Importantly when you get hacked by the NSA does that mean you have committed a crime for failing to report whilst simultaneously being barred from reporting it for reasons of national security.

    • as long as there are rules in place protecting the little guy. meaning someone with a small footprint would be exempt from these rules, meanwhile, google and apple will not. There are outfits out there that have 1 IT guy (or worse, no IT guy) that would be unjustly harmed by such rules.
      • This is just a show - "I am doing something about this awful data breach problem."

        If there any exemptions, you can bet it won't be the "little guy" getting them. More likely the "little guy" will be the example of the consequences. After all the "little guy" makes no significant political party contributions.

        Just an observation....

    • Bad idea. The purpose of the law is to override and weaken the strong protections California (and elsewhere) has given to its residents.

    • I'm afraid its primary use will be as an NSA honey trap, to allow federal agencies to be able to look up reported vulnerabilities and use them without warrants, due process, or notification of the victims of federal monitoring.

  • Yeah, okay (Score:4, Insightful)

    by Anonymous Coward on Monday January 12, 2015 @01:47PM (#48795321)

    He says as ISIS literally gets into the CENTCOM twitter account and posts military personnel's addresses/info, data from the pentagon and other bullshit

    I mean come the fuck on

    Data apocalypse now

    • by RingDev ( 879105 ) on Monday January 12, 2015 @01:57PM (#48795457) Homepage Journal

      "Data apocalypse now"

      Disregarding the rest of your post for this nugget.

      The thought of a remake of Apocalypse Now as Data Apocalypse Now as a senior CIA agent is being sent into the field with some hard core MI6 bodies to capture and return a rogue agent distributing data in a "information wants to be free!" kinda zeal (only way darker). And over time, embedded with the rogue agent, after the MI6 team gets picked off or falls into a drug induced free-knowledge stupor, starts doubting his missing, maybe data does want to be free?

      The thought of a Brit with a laptop saying, "Charlie don't surf!" while browsing the web from North Korea ...

      Seriously, that could be a good movie.

      Could be. Odds are though, it would be drivel.

      -Rick

    • by SumDog ( 466607 )

      You really think ISIS got a hold of some Twitter/Google account passwords? Sure there's social engineering, but I think it's more likely CENTCOM faked the ISIS tweets. It just helps build anti-terrorism support and stricter data control from the US people. It's all bull-shit.

  • This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.

    • by Okian Warrior ( 537106 ) on Monday January 12, 2015 @01:59PM (#48795487) Homepage Journal

      This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.

      Yeah, and the Democratic president waited until *after* the Democrats lost power in the legislature before proposing it.

      It almost seems - dare I say it - that both parties are against the needs of the people!

      • Well, yeah. For the vast majority of politicians, the goal is to do/say whatever it takes to be re-elected. If you can make the other party look like slime in the process, that's just a bonus.

      • by hondo77 ( 324058 )

        Yeah, and the Democratic president waited until *after* the Democrats lost power in the legislature before proposing it.

        So you don't want the President to propose anything because he should have done everything already?

        • I don't want any POTUS propose anything in the first place, it's not his job, it's Congress that is supposed to push bills and beyond that governments are not supposed to regulate any businesses or individuals in the first place. It's not a job that you would want a government to do, to regulate business decisions, that's the entire purpose of a free market and the reason the modern economies are going to hell is because there is no free market left, it's all regulated, monopolised by government laws and r

      • Democrats lost control of Congress in 2010. It was in all the papers.

        • Congress is comprised of the House of Representatives and the Senate. Control of Congress was split until this year. The Republicans gained control of the House of Representatives in 2010. The Democrats had control of the Senate until this year.
          • Yes, I know.

            The point is that John Boehner has had to approve of all legislation since January 2011. That completely destroys the "insightful" comment made by the parent post.

      • by Jawnn ( 445279 )

        Yeah, and the Democratic president waited until *after* the Democrats lost power in the legislature before proposing it.

        Seems to me that the GOP did a pretty good job of blocking legislation that they didn't like for the last 6 years, even without a majority.

      • "that both parties are against the needs of the people!"

        I wouldn't put it that way, as often enough they are. I think it's just #3 on the priority list behind getting re-elected and helping out their cronies, be they private parties or political parties. Those two are nearly one and the same, and as long as they aligned with the needs of the people, they're all set.

        Part of the issue though is defining what exactly the "needs of the people" are. Dictatorships. communist and democratically elected go
    • by BillCable ( 1464383 ) on Monday January 12, 2015 @02:00PM (#48795507)
      I see the main problem being that these companies will be forced to disclose breaches while they still be in the midst of investigating and fixing them. I can see it taking more than 30 days to discover the breadth of a breach.
      • Yeah, but the way the summary is worded, it makes sense.

        IT guy discovers data breach affects customer 1-10,000.
        Within 30 days they have to notify those customers of the data breach.
        10 days into that notification process, IT guy discovers that, oh crap, customers 10,001 - 100,000 were affected.
        The 30 day timer starts for THOSE customers now.

  • by xxxJonBoyxxx ( 565205 ) on Monday January 12, 2015 @01:49PM (#48795335)

    ...and where was this nifty idea (and the free college one too, and immigration reform, etc.) during his first two years in office (when the Congress was mostly Dems)?

    Why does he even bother to open his mouth now?

  • by Anonymous Coward on Monday January 12, 2015 @01:50PM (#48795357)

    This law sounds good, but it doesn't have a prayer:

    1: Who enforces it? Will it be as toothless as HIPAA or SOX, where the only person thrown in jail on Sarbanes-Oxley was guy who fished up one too many groupers?

    2: If enforced, where is there proof that the hole was discovered, and what date? I'm sure a H-1B will be darn sure to keep mum when he/she actually found the breach in order to not be deported.

    3: What is a breach? Is someone duping gold on ClicheQuest considered a breach? A warp hack? What about a web server showing the FTP server's links? The courts can be clogged for years of lawyers deliberating this... and when it comes to technical issues, courts tend to side with what side has the most lawyers.

    4: What happens when a breach and trade secrets smack into each other? A court erroring one way, and businesses can have their secret sauce dumped out by clever lawyers. Another way, and every breach can be covered up as a trade secret.

    5: Who is going to fund enforcement? The next President may not bother funding this endeavor.

    Nice political thing... but this law is actually not going to ever see the books. We will see mandated hardware DRM stacks and health checks to make sure DRM is present on all devices before we see this on the books and actively enforced.

    • Will it be as toothless as HIPAA or SOX, where the only person thrown in jail on Sarbanes-Oxley was guy who fished up one too many groupers?

      If you think that HIPAA and SOX are toothless, you don't know anything about them. The number of people thrown in jail is far from the only valid metric. Spend some time working in corporate worlds that manage medical or financial information and see just how terrified everyone is of violating them. In the relevant industries you can get almost anything done, regardless of whether it makes sense, if you can make a vaguely believable argument that HIPAA or SOX requires it.

      If enforced, where is there proof that the hole was discovered, and what date? I'm sure a H-1B will be darn sure to keep mum when he/she actually found the breach in order to not be deported.

      From an enforcement perspective, the

  • 30 days is plenty of time to research, patch, test, public announce fix, make fix available.

  • by StandardCell ( 589682 ) on Monday January 12, 2015 @01:56PM (#48795439)
    Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?
    • and Car Insurance or anything else where they use it. It's an overused piece of personal information.

    • Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?

      That is technically already law; the problem is there is an executive order that allows for an expanded use, which essentially turned SSN (which was only suppose to be used for Tax and SS benefits and nothing else) into a National ID number, thus leading to the problems you see with it today.

    • by T.E.D. ( 34228 )

      prevent private companies from using SSNs for ID numbers, customer identification and credit granting

      I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same

      • by OzPeter ( 195038 ) on Monday January 12, 2015 @02:39PM (#48795947)

        I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.

        You're right. As long as the UPN is used for both authentication AND authorization, then you are screwed no matter what the number actually is. The trick is to separate the two functions somehow, and will mean a fundamental shift in how things are done.

        The problem in the US is that the SSN is used for both authentication and authorization, even though it was only meant for the former.

    • This is a great idea. Once there is a working system in place to replace the current one. Until that is true, this proposal would prevent many companies from doing business and many customers from obtaining necessary services. It's a fine idea in principle; it's just those nasty details and implementation that are complicated and make this unrealistic.
    • Not sure but on the back of my SSC it clearly says "Not to be used for Identification Purposes".
  • If Obama, or for that matter any leader at a time when Presidential and Congressional approval ratings are in the basement, were smart, he would

    * sit down behind closed doors with leaders of both parties and major caucuses
    * get a list of general things almost everyone agrees should pass in some form and for which a consensus bill can probably be reached
    * quickly negotiate a broad "consensus bill" for everything in the above list
    * quickly get the bills pushed through both houses of Congress, giving the small

    • If Obama, or for that matter any leader at a time when Presidential and Congressional approval ratings are in the basement, were smart, he would

      * sit down behind closed doors with leaders of both parties and major caucuses * get a list of general things almost everyone agrees should pass in some form and for which a consensus bill can probably be reached * quickly negotiate a broad "consensus bill" for everything in the above list * quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard. * hold bipartisan signing ceremonies * ??? * PROFIT in higher approval ratings for both the White House and Congress

      Okay, I was kidding about the ???/PROFIT part but those inside the beltway really do need to realize there is a lot that they do agree on and they and America are better off getting the things that need to get done done rather than sticking to their guns just to spite the other party.

      This is Obama you're talking about. He's not interested in anything that isn't 100% of what he wants. Reid did good in hiding that by not allowing anything through the Senate that Obama wouldn't sign; but that protection is no longer there.

      • by Jawnn ( 445279 ) on Monday January 12, 2015 @02:39PM (#48795943)

        This is the GOP you're talking about. They're not interested in anything that isn't 100% of what they want...

        TFTFY.

        • Very true

          http://www.washingtonpost.com/blogs/right-turn/wp/2014/08/04/harry-reids-reign-of-paralysis/

          Of course the truth is a bit different.
        • This is the GOP you're talking about. They're not interested in anything that isn't 100% of what they want...

          TFTFY.

          Incorrect. The House passed numerous bills since 2010 and made numerous concessions to Democrats. Only the Democrats (Reid, Obama) would not negotiate. It's well documented.

          Now, that's not to say the GOP didn't stop negotiations on some points; but what's the point of negotiating at all if you know the other side won't? There is none. So Reid and Obama's lack of negotiations brought everything to a stand still and gave the GOP zero reason to even try negotiating - especially after getting burned by tryin

          • > Incorrect. The House passed numerous bills since 2010 and made numerous concessions to Democrats. Only the Democrats (Reid, Obama) would not negotiate. It's well documented.

            "Well documented" by a "fair and balanced" news channel, perhaps? I suggest you take a look at the voting records on the "Obamacare" health bill, on anything that involves birth control, and on anything that affects Latin American immigration.

            • RE: Obamacare, Democrats refused to negotiate with Republicans, so all the Republicans voted against it.

              RE: Amnesty, some Republicans were/are for amnesty and some were/are against it. A sufficient number were for a comprise along the lines of "actually enforce immigration laws STARTING RIGHT NOW to keep new illegal immigrants from entering. Then, once we're sure the new enforcement is being enforced, we can amnesty the illegal immigrants who are already here." The Democrats wouldn't go for this, so Obama

    • by Obfuscant ( 592200 ) on Monday January 12, 2015 @02:21PM (#48795771)

      * quickly negotiate a broad "consensus bill" for everything in the above list

      The use of riders to attach irrelevant legislation to other stuff is already too much of a problem, you want an entire bill made up of unrelated stuff as one package?

      * quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard.

      It's nice you let them have a chance to "be heard". But consider this: the more unrelated things you put in one bucket, the more likely you are to reach a critical mass of people who object to something in that bucket and vote no just for that small part they object to. The entire bill fails for want of a smaller bucket.

  • Seriously.

    If you can't get your own house in order, why do we expect other people to do the same.

    • Maybe the trick is.. not to follow bad example, kind of like doing the *right thing* despite what others are doing. Not that a stupid law is going to make a difference or anything. That's purely a PR thing after the party just gave another pass to Wall Street.

      • Well, we saw what happened in Canada when they had a new law about Copyright and "rights holders" tried to pretend they could get $500,000 for a music violation when the law said $5000 max - the Feds there cracked down on the litigants.

        But, the concept of a 30 day deadline is to force people to disclose it in the US. Admirable goal. Might be needed as a blanket requirement, because there are always excuses for not reporting.

  • Comment removed based on user account deletion
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Say what? I read the whole article without paying any fee, or logging in, or any other nonsense. If you have cookies from NYT, delete them and try again. Better yet don't accept them in the first place.

      --

      Obama to Call for Laws Covering Data Hacking and Student Privacy

      By MICHAEL D. SHEAR and NATASHA SINGERJAN. 11, 2015

      WASHINGTON â" President Obama on Monday called for federal legislation intended to force American companies to be more forthcoming when credit card data and other consumer information are

  • by Etherwalk ( 681268 ) on Monday January 12, 2015 @02:04PM (#48795561)

    Many schools have a system where students submit papers through an online submission system that checks their papers against other papers in a database for plagiarism. Personally I find it incredibly offensive and fought successfully against such a system when I was in undergrad, because it assumes that a student is guilty then runs a check to make sure he isn't.

    But regardless of the ethics or morality of the process, it *relies* on the vendor profiting from each submitted paper, in that each submitted paper grows its database of papers. The database is then cross-referenced against new submitted papers to look for plagiarism.

    So if companies are prohibited from profiting from the information, it may be tricky to have this business model survive.

    • by Sowelu ( 713889 )

      Are you sure you commented on the right story? I don't get it.

    • by i.r.id10t ( 595143 ) on Monday January 12, 2015 @02:26PM (#48795823)

      I have issues with turnitin.com as well (and I'm a teacher and work in academic technology) but mostly because instructors/institutions can force a student to give up their intellectual property in order to support a 3rd party's business model.

      I've started adding a footer on my papers I submit as a student along the lines of "this paper is the intellectual property of i.r.id10t. any commercial use is prohibited"

      Don't think I'll ever get anywhere because of it, but at least it makes me feel half way ok for a few moments...

    • by Jawnn ( 445279 )

      So if companies are prohibited from profiting from the information, it may be tricky to have this business model survive.

      Yeah? So? The message should be clear enough, find some other way to make money and stop being a leach.

    • I put GPL at top of anything I submitted. Storing a program in a database (or source code) is creating a derivative. Either open source your software or don't check my program. Not that I ever cheated (in compsci), but there are only so many ways to write "a program that sings '100 bottles of beer on the wall'".
      • First, turnitin verification is, I hear, normally nominally voluntary on the copyright holder's part. It may not feel voluntary, but you aren't legally forced to submit material for grading. Since you have agreed to the terms of use, the GPL notification isn't a further restriction. (The GPL does not restrict anything beyond ordinary copyright. Putting it on something does not limit what somebody might do with the work due to other licensing. Nor are you prevented from issuing both GPL and proprietary

  • by seven of five ( 578993 ) on Monday January 12, 2015 @02:21PM (#48795763)
    the National Security Breach database has been breached. Please try again later.
  • Good (Score:4, Interesting)

    by mbone ( 558574 ) on Monday January 12, 2015 @02:24PM (#48795801)

    Sounds like a good idea. Now, let's get the NSA and FBI to fill one of these out.

  • This is US Law. An anonymous person belongs to no country... Does not seem like anything except a means for big companies to sue security companies "Hey you found a bug that my incapable overseas staff copy-and-pasted in! You owe me 400 bars of gold-pressed latnium for damages!"
  • I appreciate the intent, I really do. I reality, it will be very, very difficult to right sensible rules that apply to every situation. Typically, when you think you might have been hacked, there are more questions than answers. You may never known if the intruder took any data.

    Most investigations I've been involved in start with noticing something slightly odd - some non-critical machine has a file on it and we're not sure what the file is, or how it got there. It might be the installer for a Microsoft hotfix that an admin downloaded - a perfectly innocent file, just something someone forgot to delete when done, or it might be something a bad guy forgot to delete. (The typical hacker toolkits try to cover their tracks).

    You investigate a bit more and find more suspicious stuff, so you become fairly convinced that a bad guy had some level of access to THIS computer. YOU might even know for sure that they had _some_ access to _this_ computer. You can never know for sure that they didn't have access to the entire network, because you can't prove a negative. You _think_ the intrusion was limited to this one machine.

    Maybe you see something strange on a machine that has access to customer information. Maybe some typical Windows malware trying to send out spam. If the people running the botnet knew what machine they had infected, they could have gotten customer data. They probably didn't notice, though; they're just running spam botnet. Do you have to contact all of your customers and tell them that your Customer Service Manager's desktop had malware on it?

    Typically, you KNOW that sensitive data was taken it starts showing up in public. So at what point do you contact customers?

    I think that's a judgement call. It depends on both the likelihood of a leak and the type of data involved - could it do much damage, and is there anything to be done to lessen the damage? I've done it at different times depending on the data. Once, there was a small possibility that a bad guy could have accessed credit card numbers. We were 85% certain there was no bad guy, but we went ahead and called customers anyway. We called and told them "we're pretty sure there is no problem, but please look at your credit card statement and let us know if you see anything out of the ordinary". An example in the other extreme was that a bad guy could probably could have read the PHP source code of a public web site. That was much more likely, but who cares - it's mostly public anyway. I didn't hurry to notify anyone that time.

  • by RogueWarrior65 ( 678876 ) on Monday January 12, 2015 @03:19PM (#48796387)

    So, if a company doesn't disclose a breach in 30 days, what happens? They get fined? By the government? Who gets the money? What does a punitive regulation solve? What if the company doesn't themselves find out about the breach for 30 days?

  • How about liability?
    Say, minimum $1,000,000 per bit of personal info lost.
    Oh, your corporation cant afford that? Then don't store personal data.

  • Could this requirement maybe be extended to large vendor zero-day [theregister.co.uk] vulns?

    Just imagine a world where the only zeroes weren't in the second or third digits of the days-to-patch.

  • This shouldn't just apply to corporations. I want to know what recourse I have should my medical records or medical history be compromised.
  • Regardless if the target is a giant corporation or a mom and pop store, the 30 day idea is likely to try and limit the financial damage once the attack is known. There are actually folks who sit and watch the underground sites who sell Credit Card information and once big lots of them go up for sale, little red flags start popping up and banks start getting notified about it.

    Some folks are trying to claim how small business will be impacted by such a rule but, in my opinion, no one should be exempt from t
  • I have a pessimistic view of this and suspect that many companies are hacked and just silently sit on it because - well - they don't need to tell anyone.

    This sounds like a plan to bolster the US Mail system by causing 10 pounds of mail weekly to each constituent alerting them to a recent data breach. Or we'll all need fax machines with an endless spool of paper. Oh wait - it was called a ticker. "...today your account at ACME XYZ was hacked at 9:43 AM...."

    If I notice that my twitter account was hacked -

    • Somebody on Twitter guessing your password isn't a breach of Twitter, it's a breach of your stupid password choice. If Twitter gets breached and *everybody's* password is exposed, then you'll get a message (by email, not post, obviously).

  • I agree... the Government should provide notice within 30 days of when they've obtained my personal data without permission.
    Equally and only if that is done, corporations should also let me know within 30 days when someone's obtained my personal data without permission.

    E

  • DHS under-secretary works as strategist for Microsoft, Microsoft security chief moves to White House, White House security czar moves to DHS, DHS buys Microsoft product to run terrorist database (jeez!), Microsoft creates post of Director of Homeland Security .. no conflict of interest here :)

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Working...