Since Equifax leaked credit and identity information on ALL of us last year, I have been in a foul mood about the clueless and technically inept C-level corporate executives who are responsible for these breaches. Throw the bums in jail!
Well, a law working its way through Congress may do just that. For the first time executives may be facing not just ritual termination, and shaming in the press, but actual hard time. Up to five years. Senator Bill Nelson has been trying to get some traction under his bill, S.177 – Data Security and Breach Notification Act of 2015. Evidently for a while now.
The reason I support this legislation is that I have been in too many meetings with C-level executives where real security gets short shrift and no funding. Certainly, the cyber-criminals and other malicious actors are legally responsible for the breaches. But in many case the executives of the targeted company made decisions that ultimately made it possible for the breach to occur. On discovery, often they are more interested in covering up the breach than responsibly reporting the issue to their affected customers.
The Department of Homeland Security (DHS) would create a new federal entity where data breaches would be reported if they involved:
- the personal information of more than 10,000 individuals,
- a database containing the personal information of more than 1 million individuals,
- federal government databases, or
- the personal information of federal employees or contractors known to be involved in national security or law enforcement.
This new organization would repot this information to other law enforcement agencies as deemed appropriate, including:
- US Secret Service
- Federal Trade Commission (FTC)
- US Postal Inspection Service, if mail fraud is involved
- Attorneys general of affected states
- Appropriate federal agencies for law enforcement, national security, or data security purposes
Usually these guys only pay attention to issues that are likely to improve stock price, or positively affect their quarterly bonus or compensation. Cybersecurity is only seen as an expense. If there is an actual danger of incarceration, perhaps corporate officers may finally take this issue seriously.