WASHINGTON (Reuters) - A congresswoman may strengthen a data breach bill to quell concerns it would do too little to force companies to alert customers of data breaches promptly.
The draft version of the bill from Rep. Mary Bono Mack requires companies that experience a breach to tell law enforcement within 48 hours and to begin notifying consumers within 48 hours of when the company completes an assessment of the hack.
At the House hearing on Wednesday, other lawmakers expressed concern that allowing companies to wait until an assessment was done could allow them to stall on informing customers.
“Chairman Bono Mack is open to the idea of making sure that there’s a drop-dead certain time that companies have to report a breach,” said Ken Johnson, Bono Mack’s senior policy adviser on the issue.
The bill could be changed to give companies a limit of 60 days, he said.
In recent weeks, Sony, Citigroup and other companies have been criticized for failing to tell consumers swiftly about major data breaches that potentially exposed personal data including email addresses or birth dates of millions of people.
Bono Mack’s draft bill would also require companies to begin erasing personal data once it is no longer needed, eliminating the possibility it could be stolen in a hacking attack.
The idea of data minimization also came under some fire at a hearing on Wednesday, with one lawmaker noting that data about customers may be retained for a long time for good reason.
Others disagreed, and FTC Commissioner Edith Ramirez noted that if unneeded data was retained, there was just that much more to steal once a breach occurred.
“If it’s no longer needed, they should dispose of that information safely,” she told the House subcommittee on commerce, manufacturing and trade.
Senators John Rockefeller, chair of the Senate Commerce Committee, and Mark Pryor, a Republican, introduced legislation on Wednesday that would also require that companies safeguard sensitive data and inform consumers in the case of a breach.
Separately on Wednesday, senators Al Franken and Richard Blumenthal introduced a bill that would require app developers to obtain consumers’ express consent before collecting information about where they are and sharing that information.
There has been no shortage of highly publicized hacks recently, some by organized crime and others by Internet vigilantes and pranksters.
The International Monetary Fund and the Senate’s public website has been hit, as has Google Inc. On the defense side, EMC Corp’s RSA security division acknowledged a hack that may have allowed digital intruders into defense contractor Lockheed Martin’s computers.
Reporting by Diane Bartz, editing by Matthew Lewis