Jason Atchley : Data Security : Attorney General Calls for Data Breach Notification Rules

jason atchley

Holder Joins Calls for Data Breach Notification Rules


Andrew Ramonas, Corporate Counsel

February 24, 2014    |0 Comments

Anatoliy Babiy
U.S. Attorney General Eric Holder Jr. has turned up the heat on Congress to pass legislation to create a national standard for notifying customers of data breaches, saying: “It is time.”
Citing last year’s massive data breaches at Target Corp. and Neiman Marcus Group Ltd., Holder said in a video message on Monday that lawmakers should make “a strong, national standard for quickly alerting consumers whose information may be compromised.” At present, 46 states and the District of Columbia, Guam, Puerto Rico and the Virgin Islands enforce differing standards for data breach notifications, according to the National Conference of State Legislatures.
“This legislation would strengthen the Justice Department’s ability to combat crime and to ensure individual privacy while bringing cybercriminals to justice,” Holder said. “My colleagues and I are eager to work with members of Congress to refine and to pass this important proposal.”
Holder gave few details on what he is looking for in the legislation. But he said the measure should facilitate law enforcement efforts to investigate data breaches and hold businesses accountable when hackers get access to customer information. The bill also should give companies “reasonable exemptions for harmless breaches” if they are acting responsibly, he said.
Several bills to create a national standard for breach notification are pending in Congress. They include the Data Security Act [PDF] and the Personal Data Privacy and Security Act [PDF], both of which senators introduced last month.
Sen. Tom Carper (D-Del.) has offered the Data Security Act in each of the past three Congresses. Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, has introduced the Personal Data Privacy and Security Act in each of the past four Congresses.
Under the Leahy bill, businesses generally would have to tell customers about a breach within 60 days of its discovery. If hackers targeted fewer than 5,000 customers, companies only would need to issue breach notification messages through the mail, telephone or email to those individuals affected by the breach. But if the breach affected more people than that, companies also would have to make public statements through the media.
The Carper measure wouldn’t specify when and how businesses should inform customers of breaches; it would leave those details to the Federal Trade Commission and other federal agencies.
John Mulligan, Target’s executive vice president and chief financial officer, said earlier this month that his company would welcome a single federal standard. Michael Kingston, senior vice president and chief information officer for Neiman Marcus, said he didn’t have an opinion on the creation of a national standard. But he urged “flexibility.”
Said Kingston: “I do think … these investigations, these events, are different and, on a case-by-case basis, need to be handled differently.”

Read more: http://www.corpcounsel.com/id=1202644242879/Holder-Joins-Calls-for-Data-Breach-Notification-Rules#ixzz2uMQXqKzG


Posted by at 12:43 PM 

One thought on “Jason Atchley : Data Security : Attorney General Calls for Data Breach Notification Rules

  1. Pingback: Jason Atchley : Data Security : Attorney Genera...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s