In the wake of the Equifax breach, Andrea O’Sullivan examines whether Congress has a role to play in telling private companies when they must reveal consumer data hacks:
There is no question that Equifax screwed up majorly and should be held accountable. Already, federal regulators tasked with overseeing consumer safety and credit—namely, the Federal Trade Commission (FTC) and Consumer Financial Protection Board (CFPB)—are hard at work determining how to proceed.
But some feel that this is not enough. Legislators see the Equifax breach as an opportunity to promote data breach notification bills that had trouble getting passed in the past.
Specifically, Rep. Jim Langevin is pushing forward a new version of 2015’s failed Personal Data Notification and Protection Act (PDNPA). An updated version of the bill is not available on Congress’ legislation website, but the earlier version would have required businesses that collect PII on at least 10,000 individuals to notify affected parties within 30 days of a security breach. The bill outlines what information and resources the companies should make available to victims and designates the FTC as the enforcer. There are a few exemptions, such as for incidents that would affect ongoing legal investigations or those that are determined to not be a reasonable harm risk to individuals.
from Hit & Run http://ift.tt/2y5PX5Q
via IFTTT