In an article I wrote for the Week in Review section last Sunday, I noted that no federal laws existed to punish companies when customers’ personal information and data were stolen in cyber-attacks, or mishandled by companies. And so punishment in these cases is left up to the states. Yet in many instances, state officials don’t have the resources to tackle this problem, and even acknowledge that they don’t always understand the technical aspects of breaches.
Some government officials, though, are pressing for new federal legislation on this subject.
Senator Al Franken, the former comedian and a Democrat from Minnesota, is one of them. As chairman of a new Senate Judiciary subcommittee on privacy and technology, he held a hearing on Tuesday and questioned Google and Apple executives about storing customers’ locations without their knowledge on mobile devices.
Representatives from Apple and Google defended their data collection practices, noting that location information was anonymous. But Mr. Franken said the problem was that “these breaches of privacy can have real consequences for real people.”
Senator Richard Blumenthal, a Democrat from Connecticut and the former attorney general of that state, has also been pressing Congress to adopt new laws that would hold companies accountable for data breaches. Mr. Blumenthal has publicly chided Sony for its slow response to a cyber-attack last month that could have resulted in the theft of private information of 77 million customers.
A House subcommittee has also been holding hearings over the past month to question Sony as well as Epsilon, an e-mail marketing company that also suffered a hacking attack resulting in the loss of millions of e-mail addresses.
The Securities and Exchange Commission is being urged by senators to create new rules that would require companies to immediately disclose when they have been the victim of a cyber-attack, specifically when personal information has been compromised. To date, some states require that companies notify customers within seven days of an attack, but these laws are loose and vary per state.
But many privacy experts I spoke with said that privacy legislation had been presented to Congress in the past, but never seemed to become law. Some argued that the current discussion in Congress would not result in strict enough rules anyway.
“The government clearly needs better security and data protection rules,” said Eugene Spafford, a security expert and professor at Purdue University. He suggested that the Federal Trade Commission should set up data protection standards and have the ability to discipline companies that did not comply with those rules.
“The government should be looking at financial institutions who are doing a very good job protecting information online as these companies have a tradition of understanding risk,” Mr. Spafford suggested.
Ken Johnson, senior adviser and spokesman for Representative Mary Bono Mack, a California Republican who is chairwoman of a Congressional privacy subcommittee, said one of the legislative roadblocks in the past had been “jurisdictional squabbling.” Mr. Johnson said the string of data breaches in recent months would hopefully lead regulators to “put aside political squabbles, and do what’s best for consumers.”
One piece of legislation that seems to have bipartisan support was introduced in April by Senators John Kerry, Democrat of Massachusetts, and John McCain, Republican of Arizona. The bill, the Commercial Privacy Bill of Rights Act of 2011, would require companies to adopt specific security rules if they decided to store people’s private information.
No comments:
Post a Comment