Thanks to partisan politics and intensive industry lobbying, we have no strong federal breach notification law. This, of course, is not news to my readers. But in light of (1) Congress’s current interest in cybersecurity and sharing of information, (2) the fact that up to 40% of breaches are first detected by members of the public, and (3) how damned difficult it can be to contact an organization to alert them that they’ve had a breach, I thought of proposing a bill. I don’t have a snappy acronym for it yet, which may doom it, but if you like the concept, perhaps you or the Twitterverse can up with one and help me flesh this out more.
So before I invest a lot of time in the language, here’s a brief outline of what the law might contain/say:
To require any entity that collects, process, or stores personally identifiable information to provide prominently displayed contact information on their web site to be used for reporting a data security breach, security vulnerability, or privacy concern.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. NOTICES REGARDING CONTACT INFORMATION
(a) In General- Any entity that collects, processes, or stores personally identifiable information or sensitive personally identifiable information in any format for more than 50 U.S. citizens or residents shall display on the home page of their web site a notice providing a United States-based phone number with an e-mail address or link to an on-site contact form that can be used to report a security vulnerability, data security breach, or privacy concern involving the web site or entity’s database(s).
(b) Monitoring – The phone number, e-mail address, and contact form notification shall be monitored by the covered entity or its designated responsible party every day.
(c) Receipt of Notice – Covered entities or their representative will acknowledge receipt of the notification of a data security breach, possible vulnerability, or privacy breach within 24 hours of notice if the notifier provides an e-mail address or phone number.
SECTION 2. RESPONSE TO NOTIFICATION OF A DATA SECURITY BREACH
(a) In General – Covered entities shall initiate investigation of a report of a data security breach involving personally identifiable information or sensitive personally identifiable information within 24 hours of being notified.
(b) Mitigating Exposure – Covered entities shall take steps to prevent further exposure:
(i) In the event that that personally identifiable information or sensitive personally identifiable information has been exposed on the Internet, the entity shall promptly, but in no case later than 24 hours, attempt to have the data removed.
(ii) In the event that paper records with personally identifiable information or sensitive personally identifiable information have been improperly disposed of or found in public spaces, the entity shall, within 24 hours, arrange to recover possession of the records. The recovery of records shall be completed within 72 hours from time of initial notification.
SECTION 3. PROMOTING RESPONSIBLE DISCLOSURE
(a) In General – Any individual or organization that provides notification to a covered entity of a security vulnerability involving the covered entity’s web site or server(s) containing personally identifiable information or sensitive personally identifiable information shall be immune from civil or criminal action as long as:
(i) Notification is made to the covered entity and the entity is given an opportunity to secure its databases or server before the vulnerability is disclosed to others;
(ii) Personally identifiable information or sensitive personally identifiable information is not disclosed to others in unredacted form;
(iii) Personally identifiable information or sensitive personally identifiable information is securely deleted after acknowledgement of the vulnerability by the covered entity; and
(iv) Collection or download of personally identifiable information or sensitive personally identifiable information is kept to the minimum necessary for proof of vulnerability.
(b) Response to Notification – A covered entity shall respond to a notification of vulnerability within seven (7) days. The response:
(i) Shall include the covered entity’s findings with respect to the reported vulnerability, and
(ii) Steps the covered entity has taken or will take to address confirmed vulnerabilities.
Okay, that’s enough to show you where I’m going with this. Obviously, it would need sections on definitions and enforcement.
But what do you think so far? Is this a good idea to pursue, or is a bad idea?
And if you think it’s a good idea, what should we call this?
The Get Your Head Out of Your Ass, Please Act of 2013 ?
The Privacy and Security Notification Act of 2013 ?
The Wake Up and Smell the Data Leak Act of 2013?
Maybe if we throw in a “cyber” somewhere in the title…?
Have at it.
Update: This post and discussion on Slashdot last night is yet another demonstration of why we may need a federal law like this.
Maybe I should call it the “Help Me Help You Act” or the “Jerry MacGuire Act of 2013?”