Following the well-known recent Sony affair, American companies will be demanded to disclose if they’ve been hacked. That’s the essence of the new legislation currently drafted in Congress.
The idea for new legislation has been suggested by Mary Bono Mack, a Republican from California. All Mary Bono Mack wants is to see companies demanded to provide a basic level of protection for their customers' personal data, and if they fail it, they have to notify the government of the problem.
After Mack had held hearings on data leaks at Sony and Epsilon, a bill was promised to be brought in, specifically designed to protect user personal data. Now, if the proposed legislation gets the votes, it will force US businesses to protect their own consumers by at least requiring reasonable security policies and procedures able to protect information containing personal data. But the most interesting part is that the new law will provide for nationwide notice in case of a hack.
The bill is already circulating through the government. For example, the National Journal has revealed that the Commerce, Manufacturing, and Trade Subcommittee of the House Energy and Commerce Committee has scheduled a hearing for tomorrow to discuss the proposal.
Mary Bono Mack is reported to have had an aggressive timetable for pushing the draft through subcommittee and full committee. The reason for the rush is that punters can’t wait and want something done right now.
According to the new legislation, all companies in the United States would be demanded to erase old or unnecessary information. They would also be required to notify the government no later than 2 days after discovering a data loss. This part of the legislation is supposed to prevent wide-spread situations where outdated databases without protection were still kept on the company network, becoming a soft target for intruders.
However, the bill specifies that the companies wouldn’t have to tell about the breach if it’s "an accident". That promises to be quite interesting to see if the companies try and use this clause as a reason for not publicizing their failures. Finally, the law would provide the FTC with the authority over information protection at non-commercial organizations like universities and charities.