IT executives need to stay up to date on the status of data-breach notification laws, David Geer writes. "When you have an incident that affects consumers throughout the country, you have to craft a response that complies with all the state laws, which is a challenge. It's even impossible where there's an outright contradiction between two different laws," lawyer Kristen Mathews says.
The Consortium for Cybersecurity Action is focused on electronic safeguards and security controls to help governments and businesses avoid legal battles over data breaches. It's proposing 20 defensive steps that every enterprise should take to protect against cyberattacks. The group includes top security players such as McAfee, as well as federal entities such as the Defense Department.
California lawmakers have mapped out what companies must disclose to customers following a data-breach incident. Enterprises must provide specifics on the type of data lost or stolen, what exactly took place and provide the information in a timely manner.
Sony said Monday that the data breach that exposed the private accounts of an estimated 77 million PlayStation Network and Qriocity users in April is worse than previously thought after it discovered that hackers also gained access to the personal data of nearly 25 million Sony Online Entertainment subscribers.
The Senate Judiciary Committee voted to advance two bills this week that would require agencies and businesses to inform victims and authorities about data breaches. Supporters of the Personal Data Privacy and Security Act and the Data Breach Notification Act said the laws will enhance security for consumers while clarifying rules for companies that must comply with multiple states' laws.