Shostack + Friends Blog Archive

National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16.
I haven’t read the full text of the bill (and it has been roundly criticized by folks whose opinions I trust) but I was happy to see this in the press release [link to http://financialservices.house.gov/News.asp?FormMode=release&ID=775 no longer works] from the commitee:

An amendment offered by Rep. Barbara Lee (CA) would require the Federal Trade Commission to coordinate with other government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within a twelve month period.

Another piece of legislation, which has been received rather better by privacy advocates and consumer rights groups, is the Data Accountability and Trust Act [link to http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.+4127: no longer works]. Guess what? It also requires central reporting of breaches:

Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data–
[…]
(2) notify the [Federal Trade] Commission;
[…]
The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).

I am happy to see these elements make their way into national legislation.

Originally published by cwalsh on 31 Mar 2006
Last modified on 22 Aug 2023
Categories:   breach analysis   Current Events   Legal   Uncategorized