Obama administration pushes for short 30-day reporting window for data breaches

President Barack Obama has proposed new legislation that requires companies to notify consumers of a possible data breach within 30 days of its detection. The Personal Data Notification and Protection Act proposes, among other things, that companies must notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.  

The proposal also criminalizes illicit overseas trade in identities.

There is more to the proposal, which seeks to provide uniform standards at time when data breaches are becoming if not more frequent, more visible. A cyber crime occurs every 18 seconds, according to Paul Kleinschnitz, senior VP and general manager, cybersecurity solutions, First Data Corp. "One in two of us have already been hacked and cybercrime has now surpassed any criminal activity including the drug trade," he said.

Retailers know all too well the ramifications of cyber crime. Target's (NYSE:TGT) data breach in 2013 has cost the retailer approximately $148 million thus far, and a recent court ruling allows for financial institutions to seek reparations from the retailer, a first for this type of case. The Minnesota court called Target's activity, or lack thereof, negligent by failing to act on signs that criminal activity is occurring.

The Obama administration seeks to speed the process of public declaration, but is a 30-day window a reasonable expectation?

Not according to Erin Nealy Cox, executive managing director of Stroz Friedberg, a digital risk management firm. For starters, when does that calendar get marked as Day One? How to determine if a suspicion turns out to actually be fact? And how will companies manage that timeline with any uniformity?

All questions unanswered in the president's proposal.

The White House will host a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University. The Summit will bring together stakeholders, including senior leaders in government; CEOs from a range of industries including the financial services industry, technology and communications companies; computer security companies and the retail industry; as well as law enforcement officials, consumer advocates, technical experts, and students.  

Topics at the Summit will include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies.

As more transactions and consumer activity moves online, the rate of fraud will only increase. Protecting consumers and businesses is critical, but restrictive legislation may not have any relevance in the real world.

For more:
-See this White House announcement
-See this White House press release

Related stories:
Target found negligent in data breach
Retail security still very much under attack
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards