The US Congress should protect citizens against identity theft by passing data breach notification bill that would also require companies to use reasonable security practices, cybersecurity vendor Symantec officials said yesterday.
Robert Clyde, Symantec's vice-president of technology, called on Congress to pass a data breach notification bill that would require organisations to report data breaches when there's a reasonable risk of identity theft. US lawmakers introduced about a dozen bills requiring data breach notification after a series of breaches in early 2005, but legislation stalled largely over committee jurisdictional squabbles.
About 30 states have passed breach notification laws, most of them since 2005. US lawmakers have introduced four data breach notification bills since January.
Private companies want one standard they can follow, instead of dozens, Clyde said. "Having every state do their own data breach law... starts to get out of control real quick," he said. "You put a huge burden on companies."
In the last couple of years, Symantec has seen a change in cyber attacks, prompting the need for legislation. Gone are the days when attackers created viruses or worms simply for bragging rights; now, the majority of cyberattacks are targeted at stealing money, Clyde said. In many cases, the attacks are done with stealth in mind, with the criminals hoping to milk credit card accounts for months, he said.
Often, ID thieves will take $5 (£2.55) or $10 (£5.10) from a credit card account every month and most people won't notice the small charges, Clyde added.
"The motive [of hackers] has changed from show-off to taking money," Clyde said during a briefing in Washington DC.
Symantec called on Congress to pass a data breach bill that would include language-requiring organisations to deploy standard security protections. "We’d like to see legislation be more proactive," said Tiffany Olson Jones, senior regional manager for North and Latin American government relations at Symantec.
Part of the problem with passing a bill last year is that some of the legislation became too expansive and included several privacy measures, Clyde said. A simple data breach bill that focuses only on security breaches should have the best chance of passage, he said. Symantec endorsed the Data Accountability and Trust Act, introduced earlier this month by Representatives Bobby Rush, an Illinois Democrat, and Cliff Stearns, a Florida Republican.
The bill, in addition to requiring breach notifications to affected customers, would authorise the US Federal Trade Commission (FTC) to draw up data privacy requirements for businesses, including requirements that they have vulnerability assessments and policies for disposing of obsolete data.
After a company reports a data breach, the FTC would conduct an audit of its security practices, and the bill would require data brokers to disclose the information they hold on individuals and allow individuals to correct wrong information.
Symantec also called on Congress to pass an antispyware bill. Several ways that spyware steals information, such as keystroke logging, isn't expressly prohibited in other cybersecurity laws, Clyde said.