Could a new law forcing companies to tell you when your private information has been stolen ultimately help protect you?
From the U.S. military's Central Command to Sony, no organization has been immune to embarrassing hack attacks. And nearly every company -- from Google to Home Depot -- has been the victim of cyber thieves. The problem is that you often don't know whether or not your personal information was stolen and, in some cases, the companies don't have to tell you.
Last week President Obama proposed a national data breach reporting law that would require companies to alert customers and employees within 30 days that their personal information may have been stolen. Currently, there are over 40 different state laws covering (or not covering) such thefts, and yet last year the Electronic Privacy Information Center estimated that half of all Americans had their information hacked. That's a pathetic statistic, especially with the upcoming International Data Privacy Day on Jan. 28.
Something has to be done. But would a 30-day national law actually help protect you?
"Leaked data, for instance, gets posted on public places such as Pastebin or torrents, where it can be abused by third parties," Bogdan Botezatu, senior e-threat analyst at security firm Bitdefender, told FoxNews.com. Botezatu emphasized that until the company publicly discloses that breach, "users can get their money stolen, they might get their accounts hijacked and even their identities impersonated. The earlier they know, the faster they can react to the threat."
Several consumer advocacy organizations and security experts think that 30 days is too long to wait.
"Some industries, such as in credit card and payments processing, impose much higher standards than the 30 days proposed by the President," said Andre Durand, CEO of Ping Identity.
Durand also points out that it's not always clear what kind of breach would trigger a reporting law (for example, would a simple network intrusion qualify or would the break-in have to include the actual theft of personal passwords?), especially with companies resistant to disclosing any digital break-ins.
Durand and Botezatu point out that companies have incentives to conceal and not report such thefts in order to protect their corporate reputations, not to mention shield them from legal liability and shore up their stock prices. Botezatu also notes that companies can be caught in a technical bind: If they have to make the attack public before they've created a solution to prevent similar breaches they could end up making the company and customers even more vulnerable to additional attacks.
"The company needs to understand the situation in order to issue a fix for the exploited vulnerability, and only then have the users change the account password," says Botezatu. It's better, in other words, to solve the problem all at once rather than piece by piece.
Durand underscores that the real issue is preventing digital thefts in the first place -- not telling you about them after the fact. However, if such legislation passes it might have a cyber trickledown effect.
The imposition of a national law forcing companies to disclose cyberattacks as soon as possible could force businesses to put more resources into digital security. Corporations would have to do a better job of protecting customer data if those businesses knew they only had 30 days -- or less -- to fix such problems. That could have the effect of improving security and reducing such thefts across the board.
Ultimately, security -- like charity -- begins at home. You can't rely on others to protect your personal information from being stolen. So get regular credit reports that are free by law directly from the reporting agencies, use a free anitvirus program from a reputable firm (such as Avast, AVG, or Bitdefender), and don't click on those offers from Nigerian bankers.