Jan 182018

Peter Dinham reports:

A majority of Australian IT decision-makers believe reporting of data breaches to regulators will help prevent cyber crime.

Surveyed by global security vendor Palo Alto Networks, 79% of IT decision-makers agreed that reporting breaches to regulators should be mandatory and 69% believed reporting of data breaches to regulators would help prevent cyber crime.

Are 69% being optimistic, naive, or both? We have mandatory disclosure here in the U.S. Have Australian experts noticed that we haven’t seen any decrease in cybercrime since 2005 and thereafter as state laws were implemented?

At first we consoled ourselves, telling ourselves that hey, it takes a few years for laws to have any impact.  But it’s painfully obvious by now that breach disclosure laws do not really help prevent cybercrime. No, no company wants the bad press for a breach or the risk of litigation, but these laws do not do enough to prevent cybercrime.


Read more on iTWire.

Jan 172018

AP reports:

A legislative panel has delayed action on a bill that would require companies to inform South Dakota residents whose personal information was acquired in a data breach.

The Senate Judiciary Committee plans to take up the proposal again Thursday.

Attorney General Marty Jackley’s bill would require affected South Dakotans be notified within 60 days.

The plan would also require companies to inform the attorney general if a breach affected more than 250 residents.

Read more on The State.

This appears to be SB 62. You can find the text of the bill here. The attorney general has been trying for years to get a bill enacted. Will this be the year?

Jan 172018

John G. Kerkorian, David M. Stauss, Gregory P. Szewczyk, and Kimberly A. Warshawsky of Ballard Spahr write:

The Arizona State Legislature is considering proposed legislation that, if enacted, would significantly change the requirements for how Arizona entities respond to data breaches.

Under Arizona’s existing breach notification law, entities that conduct business in the state and own or license computerized data that includes personal information (PI) are required to notify individuals if the entity is the victim of a security breach that compromises the security or confidentiality of the PI and that causes or is likely to cause substantial economic loss to an individual. The proposed legislation would remove the “substantial economic loss” requirement, thereby lowering the threshold for when notice is required.

Read more on Ballard Spahr LLP.

Jan 162018

David Lazarus writes:

Twenty-two industry groups, representing thousands of U.S. businesses, sent a letter to Congress the other day calling on lawmakers to pass sweeping data-security rules. At first glance, that seems like a really good thing for consumers.

Upon closer inspection, however, the letter suggests these corporate heavyweights are aiming to sell out consumers by pushing for data-breach notification rules that are inconsistent and far weaker than what many states, including California, already require.

The tip-off is the presence of the Retail Industry Leaders Assn., or RILA, among the letter’s signatories.

Read more on The Los Angeles Times.

Jan 132018

Jennifer Martin and Calvin Cohen write:

On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote.  The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures.  Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.

Read more on Covington & Burling Inside Privacy.