Bill Would Require Hacked-Account Alert - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

Bill Would Require Hacked-Account Alert

A proposed law would force the disclosure of certain hacker attacks. The Bush administration wants details of attacks kept secret.

WASHINGTON (AP) - Embarrassed businesses and government agencies would have to notify consumers under a proposed law if hackers break into computers and steal some types of personal information, including Social Security numbers, driver's license numbers, and credit-card information.

The bill, introduced by Sen. Dianne Feinstein, D-Calif., a senior member on the Judiciary Committee, follows a similar California law with slightly tougher provisions that takes effect next week.

Both Feinstein's proposal and the new California law contrast with efforts by the Bush administration to keep from the public details about major computer crimes to encourage hacking victims to notify the FBI and other government investigators. The FBI director and some top U.S. prosecutors assured technology executives just months ago they will increasingly work to keep secret the names of companies that become victims to major hacking crimes.

"That's our preferred approach. We didn't ask for this legislation," said Shannon Kellogg, director of information security policy at the Business Software Alliance. "But if you're going to look at legislation in this area, then it needs to be looked at in a national way."

The proposed federal law wouldn't affect the new California law, the first of its kind in the nation. But it would prevent other states from passing similar statutes.

Unlike California's new law, the federal law wouldn't allow consumers to sue companies for failing to notify them and it gives companies more flexibility in how they make such announcements.

Still, consumer groups and others praised the effort.

"It's a really important step forward," said Chris Hoofnagle, deputy counsel at the Washington-based Electronic Privacy Information Center. "Individuals do not have this right to notice now."

Feinstein's bill would require companies or government agencies to notify customers "without unreasonable delay" if they discover hackers stole unencrypted lists of account information stored on their computers, unless police order them not to disclose it.

Companies or agencies could send written letters or E-mails to their consumers. If the hacking affects more than 500,000 customers or would cost a company more than $250,000 to notify customers, victim companies could report details about it with a "conspicuous posting" on their Web site or notify major media organizations.

The California law includes a similar provision for wide-scale hacking but requires victims in those cases to publish details on their Web sites and notify media organizations.

Companies or agencies that fail to comply could be fined under the bill up to $5,000 per violation, or up to $25,000 each day. It assigns responsibility for enforcing the law to state attorneys general and requires states to notify the Justice Department before filing a complaint.

The bill also includes an important exemption for businesses such as credit-card companies that employ security programs that block unauthorized transactions before they're charged to customers and that already notify customers of fraudulent transactions.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll