Almost 9 in 10 of businesses in the U.K. say they are unprepared to comply with a law proposed by the European Commission that would require them to disclose all computers affected by a data breach within 24 hours of an incident. A poll of 200 large enterprises sponsored by software firm LogRhythm found that 13% of respondents said it would take a week to a month to identify all breach victims, and 6% said they would be unable to do so at all. Almost three-quarters said such a law would inevitably lead to the problem of "overdisclosure."
A study reports that IT security professionals consider assessment of a data breach and potential harm as more valuable than notifying consumers and regulators within a specific time frame. The Ponemon Institute report states that 6% of those polled view notification as a helpful mitigation-response action. The most important steps to take, say tech professionals, are getting legal help, assessing harm and getting forensic expertise for the breach investigation.
California lawmakers have mapped out what companies must disclose to customers following a data-breach incident. Enterprises must provide specifics on the type of data lost or stolen, what exactly took place and provide the information in a timely manner.
Sony said Monday that the data breach that exposed the private accounts of an estimated 77 million PlayStation Network and Qriocity users in April is worse than previously thought after it discovered that hackers also gained access to the personal data of nearly 25 million Sony Online Entertainment subscribers.
The Senate Judiciary Committee voted to advance two bills this week that would require agencies and businesses to inform victims and authorities about data breaches. Supporters of the Personal Data Privacy and Security Act and the Data Breach Notification Act said the laws will enhance security for consumers while clarifying rules for companies that must comply with multiple states' laws.