A new draft bill is drawing controversy in the US. It could help allow private corporations to keep data breaches more secret.
We’ve been tracking some pretty serious data breaches over the last few months. This includes the ever worsening Equifax data breach, the Hardware Zone data breach, the FedEx data leak, and the Swisscom data breach to name a few.
Of course, what all of those breaches and leaks have in common is that they are, to varying degrees, disclosed to the public. It’s unfortunate that the incident’s happen at all, but the good news is that people at least have a chance to protect themselves from things like identity theft because they know their information is compromised. As many working in the world of security, public awareness for security is huge.
So, it may come as a shock to some that there are reports surfacing saying that a new draft bill would allow corporations to better keep data breaches shielded from public scrutiny. The LA Times is pointing to draft legislation (PDF) entitled the “Data Acquisition and Technology Accountability and Security Act”. The LA Times describes what is happening:
This week, a congressional hearing was held on a draft bill aimed at creating a national standard for breach notifications. It’s a dubious piece of legislation for a number of reasons, not least that it would exclude Equifax and other credit agencies from its requirements.
No less troubling, it would exempt all banks and financial institutions, and would require notification by retailers and other businesses only if they believe there’s “a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss” to consumers.
No harm, apparently, no foul. And hence no notification that the company’s system had been hacked.
And the final insult: The bill would preempt tougher state laws, including California’s, thus lowering the notification bar for all businesses.
“This is simply an attempt to set weaker laws as the ceiling for what states can do to protect consumers,” said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.
He told me the requirements under the federal bill are so lax that, in many cases, “we wouldn’t even know that a breach took place.”
So, unless actual harm is being done, then the public doesn’t need to know that a breach has actually took place. Who cares if it is being sold and re-sold throughout the dark web over the course of several years to the point where the origin of the breach is lost?
There doesn’t appear to be a whole lot of coverage of this bill at this point. One possibility is that with everything else happening in American politics, things like this can easily get lost in the shuffle of the near daily scandal of the Trump administration. In addition to this, there are mid terms coming up as well, so what are the odds that this bill makes it through before the mid terms?
Still, the effort appears to be there to help protect organizations from accountability. It’s unclear at this stage what the odds are something like this is ever going to be passed at this point.