The United States is to reintroduce the Personal Data Privacy and Security Act
After a series of data breaches, including the 70 million records breached by Target, senator Patrick Leahy said that such breaches are “a reminder that developing a comprehensive national strategy to protect data privacy and cyber security remains one of the most challenging and important issues facing our nation”.
He said in a statement that the reintroduction of the Personal Data Privacy and Security Act will help to meet this challenge. He said: “When I first introduced this bill nine years ago, I had high hopes of bringing urgently needed data privacy reforms to the American people. Although the Judiciary Committee favourably reported this bill numerous times this legislation has languished on the Senate calendar. In the meantime, the dangers to Americans’ privacy, economic prosperity and national security posed by data breaches have not gone away.”
“The Personal Data Privacy and Security Act requires companies that have databases with sensitive personal information on Americans to establish and implement data privacy and security programs. The bill would also establish a single nationwide standard for data breach notification and require notice to consumers when their sensitive personal information has been compromised.”
The bill will also provide “tough criminal penalties” for anyone who would “intentionally and wilfully conceal the fact that a data breach has occurred when the breach causes economic damage to consumers”. It also includes the US Government’s proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties.
According to the Hacker News, this will increase the maximum sentence for a first-time offender from 10 years to 20 and apply to all types of hackers who are involved in data breaches, cyber fraud activities, identity theft and malware development, as well as hacktivists who are not hacking for financial benefits.
A number of Twitter users also made the point that the bill was announced close to 12 months after the death of activist Aaron Swartz.
Mark Bower, vice president of product management at Voltage Security, said: “Tougher legislation is a good deterrent, but only if you can catch the thieves. With attacks often coordinated by experts in malware engineering and data theft operations operating in offshore jurisdictions, can it really be effective in stopping the onslaught?
“Ultimately, the solution to mass data breaches isn’t to try and make the legal risk higher; the solution is to make the economics of the attack far less appealing. A costly attack becomes a loss making venture if the results yield valueless information every time, so make the data useless to the attacker, and the attack business case fails.”