Holder says Congress should require companies to disclose data breaches
February 24th, 2014
06:26 AM ET
9 years ago

Holder says Congress should require companies to disclose data breaches

Washington (CNN) - Attorney General Eric Holder is calling on Congress to require companies to more quickly alert customers when their personal information is put at risk in cyberbreaches.

In a video message Monday, Holder says "a strong, national standard for quickly alerting consumers whose information may be compromised ... would empower the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes - and hold compromised entities accountable when they fail to keep sensitive information safe. "

Federal law currently doesn't offer any standard for companies to notify customers following breaches, though some states have notification laws. Many companies are wary that public notification will hurt their business.

Proposals in Congress to require a uniform notification and security standard have languished for years.

Support for one bill proposed by Sen. Patrick Leahy, D-Vermont, has grown in the wake of the massive breach of retailer Target, which Holder says compromised personal information of up to 70 million people, including credit- and debit-card data of 40 million Target customers.

Leahy's bill proposes to do much of what Holder is asking.

Holder's proposal in some ways contrasts with how law enforcement has dealt with past breaches.

During past cyber break-ins, investigators have asked companies to not immediately make the information public. In some cases, cybercriminals are known to return to exploit the vulnerabilities, and investigators may be able to gather evidence as new breaches occur.

The rise of cybercrime in recent years has alarmed U.S. officials. One well-regarded report on data breaches produced by Verizon says there were 621 confirmed breaches in 2012, and that many breaches go unreported. Federal Bureau of Investigation Director James Comey told a Senate committee last fall that soon the cybercrime threat will equal or surpass the threat from terrorism.

The Obama administration has come up with legislative proposals to better defend the country from cyberattacks but that effort has largely been shelved, a casualty of the controversy surrounding government surveillance after disclosures by former National Security Agency contractor Edward Snowden. The NSA would be a lead agency in any national cyberstrategy, and the agency is politically damaged post-Snowden.

One criticism of mandated notification is that the number of such reported crimes could overwhelm law enforcement. Holder, in his video message, says any legislation should also provide exemptions for minor breaches.

Holder says the breach at Target and another retailer Neiman Marcus around Christmastime last year shows the need for better tools for law enforcement.

"This legislation would strengthen the Justice Department's ability to combat crime and ensure individual privacy - while bringing cybercriminals to justice," he says.

Filed under: Congress • cybersecurity • Eric Holder • Justice Department
soundoff (3 Responses)
  1. Tampa Tim

    What do you bet that republicans will argue against this, saying this bill will unfairly hurt those try to make a living by hacking?

    February 24, 2014 07:02 am at 7:02 am |
  2. just asking

    should the standard be the one they are using for the obamacare web site? no security whatsoever and no requirment to disclose any data breaches. as usual the government demands of others what it refuses to do itself. this abhorent hypocrisy has to stop.

    February 24, 2014 07:37 am at 7:37 am |
  3. rs

    If one wishes to panic over what the NSA knows about you, well, what private companies know is far worse. That such data is not secure, and can be hacked with no knowledge on the part of those whose data has been compromised is simply bad policy. This is logical, legislation and should be pursued.

    February 24, 2014 08:43 am at 8:43 am |