Following a number of very high-profile customer data security breaches in the past year or so, Congress and several state governments are now considering legislation that would require businesses and organizations that manage databases of personal information to put in place safeguards against hacking . Companies that don’t could face significant fines after a breach.
In the U.S. Congress, a pending bill, S. 1976, introduced by Sen. John D. Rockefeller (D-W.V.) would require any company or organization that becomes the victim of a data breach to promptly notify a handful of government agencies, including the U.S. Secret Service, Federal Bureau of Investigation, Federal Trade Commission, and the U.S. Postal Service (if mail fraud was also involved), as well as the attorney general of states involved and any other appropriate federal or state agencies.
Some of the other legislative changes would give the FTC regulatory authority over breaches, spell out the responsibilities organizations have to protect personal data from being hacked, and provide for severe penalties of up to $5 million for failure to comply.
On the state level, California, Florida, Iowa, Kentucky, Louisiana, Minnesota, and New Mexico are all considering legislation that identify very specific steps that must be taken to protect consumer information, with penalties for non-compliance. Twelve other states are toughening data breach reporting requirements.
With ever-increasing numbers of data breaches like those that hit Target and Netflix earlier this year and late last year, it’s certainly welcome news that lawmakers are determined to hold firms accountable for managing personal information. It’s a welcome change. Unfortunately, not everyone is convinced.
360 Advanced, an accounting and security assessment firm, recently issued a statement against the new legislation.
“Our analysis of pending legislation requiring data security safeguards and stiff penalties for non-compliance sends a chill across an entire industry that is already moving swiftly toward voluntary compliance on numerous levels,” said Dan Collins, president of 360 Advanced, in a statement. “It is one thing for state and federal legislators to strengthen data breach reporting requirements, which is indeed appropriate, but it’s another matter entirely when they consider legislation that would punish service providers for being hacked.”
Granted, ultimate responsibility for a data breacb lies with the individuals or organizations doing the hacking, but ultimately companies have an obligation to protect their data from such attacks.