After a year of high-profile retail data hacks, and with the big EMV target date approaching, legislators on Capitol Hill have agreed to hold a legislative hearing on federal protocols for data breaches and reporting, according to sources at SC Magazine.
Spurred on by President Barack Obama, and with House and Senate Democrats working on draft legislation, the first hearing will convene on Jan. 27. While it is unclear what the proposed legislation will say specifically, sources close to Congress and industry leaders suggest that it will require breached organizations to notify customers within 30 days of a breach that it occurred, as well as clearing up where the liability lies in data breaches. The law would also initially include the criminalization of illicit overseas identity trade.
While 47 states already have laws on the books regarding data breaches and identity theft, proponents of the federal standard like the National Association of Federal Credit Unions (NAFCU), which sent a letter to Congress on Jan. 22 calling for a working group to form to tackle the issue. The national security standards, according to the group, would clear up confusion as to where the jurisdiction lies for data breaches that cross state lines, as well as clarify who pays the costs in at-fault cases.
While the move is proving popular with banks and credit unions, which have strong data breach prevention practices in general, some like Ken Westin, senior security analyst with Tripwire, are concerned with the 30-day “shot clock” regarding reports. In comments he sent to SCmagazine.com, Westin questions how such a provision would be enforced. Does the 30-day countdown start once it is put to law enforcement? If it does, then it could promote hiding the information from law enforcement in an attempt to solve the issue before they’re involved, effectively extending the 30-day window.