While the intentions behind the proposed SAFE Data Act law are positive, some in the IT security industry believe following its guidelines could lead to negative results, according to an InformationWeek report.
The proposed legislation, which was recently passed by a House subcommittee on Commerce, Manufacturing and Trade, would require any organization to report a data breach within 48 hours of the incident. In the wake of massive data breaches at Sony and Epsilon, the legislation aims to protect consumers by making them aware that their personal information could be at risk sooner, hopefully before that information is used for identity theft.
However, Tom Quilty, CEO of data breach response firm BD Consulting, told InformationWeek that a hard-set rule may actually cause more damage than good in some cases. He explained that a balance needs to be reached, in which businesses avoid acting too quickly and informing consumers who may not have actually been involved, which could prompt them to cancel accounts that may not have been at risk. Instead, taking the time to evaluate the situation could sometimes make for a more comprehensive solution to the problem, Quilty said.
"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," he told InformationWeek. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."
Overall, the legislation is a sign that government organizations are not laying down in front of the rising threat of cyber crime. Other recent efforts include an international crackdown in which law enforcement agents in Europe and the United States brought in suspected members of the Anonymous and LulzSec hacking groups, each of which has taken responsibility for the breaches at Sony and several government institutions.