US companies are going to be forced to disclose if they have been hacked, thanks to a new law being drafted in Congress.
The law has been penned by Mary Bono Mack, who is a Republican from California who wants to see companies forced to provide a basic level of protection for consumers’ personal information and notify the government when data is stolen.
Mack held hearings on data breaches at Sony and Epsilon and promised to bring in a bill designed to protect consumer information.
If it gets the votes, Mack’s law will force companies to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.”
According to the National Journal, the House Energy and Commerce Committee’s Commerce, Manufacturing, and Trade Subcommittee will hold a hearing on Wednesday to discuss the bill.
Johnson said that she had an aggressive timetable for moving the bill through subcommittee and full committee because punters want something done quickly.
Under the bill, companies would be forced to delete old or unnecessary data, as well as notify the government within 48 hours of discovering a breach.
This would prevent situations where old databases with minimum protection were still on the company network providing a soft target for hackers.
Crucially however it would not have to tell anyone if the breach is “an accident”, so it will be interesting to see if outfits try to use this clause as a reason for not telling anyone.
The legislation gives the FTC authority over data protection at nonprofit outfits such as universities and charities.