New Law Would Force Companies to Report Hacks Quickly
Following criticism that Target and other retailers have been slow to publicly report attacks, Attorney General Eric Holder pressed for a new federal law that forces companies to quickly disclose when they get hacked.
Holder called on Congress to pass a nationwide standard that forces businesses that suffer cyber attacks to notify customers when their data falls into the hands of cyber criminals.
“This would empower the American people to protect themselves if they are at risk of identity theft,” Holder said in his weekly address. “It would enable law enforcement to better investigate these crimes — and hold compromised entities accountable when they fail to keep sensitive information safe.”
Target has come under fire after taking six days to admit publicly that hackers accessed more than 70 million customers’ personal information in December. Neiman Marcus waited nine days after learning that it also had been hacked in January.
Consumer Watchdog, a consumer group, has claimed the retailers may have delayed reporting the breaches to not disrupt sales during the holiday shopping season.
Both retailers denied such claims and said they waited because they were still investigating the breaches and closing security gaps.
But the attacks were first revealed not by the companies themselves but by a cyber-security blogger, highlighting how businesses are often slow to acknowledge cyber attacks to customers — if they do so at all.
Companies stay quiet about getting hacked for many reasons. They have stock prices and reputations to protect, and their lawyers advise them to remain silent in the face of potential lawsuits.
Target said that sales dropped significantly after the company disclosed the breach, and its stock has recently traded at 52-week lows.
Waiting to admit cyber attacks deprives customers of valuable time they could spend taking steps to protect themselves from fraud, experts say.
“When you are a victim of a hack attack, time is of the essence in terms of how you react,” said Tom Kellermann, the managing director of cyber protection at Alvarez & Marsal, a professional services firm.
“There have been many instances where corporations have waited months to report that a breach occurred, and during that time, identity theft cases have dramatically grown in number,” Kellermann said.
Nearly every state has a law mandating that companies tell customers when their personal data has been compromised. But the laws give companies significant leeway, allowing them to take several weeks to investigate before disclosing a data breach.