Federal requirement to disclose database security breaches?



Fines and prison time are among the penalties envisioned under a proposed house bill. The requirement would be that businesses with database holding information on more than 10,000 people (or federal employees) would have to inform either the Secret Service or the FBI of a data security breach. (The maximum sentence would be five years.) Now, on my first read of this, I thought, well sure – any company should disclose the possible loss, theft, or breach of a database holding customer data. I still think that… but I don’t know that the focus of penalty is on the right shoulders.


I would certainly go along with heavy fines for failing to report a breach, but prison time? Shouldn’t that be reserved for the ones that actually break in and steal 10,000+ credit card numbers? For that matter, I do have a bit of the problem with the implication that it is more greivous that a single federal employees information is breached than 9,999 “civilians” (for lack of a better term…) And how is a business with less than 10,000 people supposed to identify Federal employees in their database to know that we need to report to the FBI that somebody stole 5,000 names and birthdates?

The Security fix has a story on the proposed bill… He raises another good point and that is the FBI having it’s hands full with cybercrime reports already. He goes on to really get at the issue. Cybercrime is not something that the US alone can solve. The havens for cybercriminal are worldwide and there are a variety of reasons, poverty, disdain for the U.S./West, etc. And until some of the factors that push people to cybercrime elsewhere, we will not get a handle on it here. They will be out of reach.

I don’t know if the proposed bill is the best solution to protection peoples private data. Like most things in politics it will likely go through a series of changes before it’s voted on and finalized. It will be interesting to see what threshold is held for “personal data”. That will determine if most EVERYONE that keeps a database of Donors or customers, contacts, etc… will be required to keep the FBI on speed-dial.

   Send article as PDF   

Similar Posts