American Companies Will Be Forced To Disclose Hacks

Following the well-known recent Sony affair, American companies will be demanded to disclose if they’ve been hacked. That’s the essence of the new legislation currently drafted in Congress.

The idea for new legislation has been suggested by Mary Bono Mack, a Republican from California. All Mary Bono Mack wants is to see companies demanded to provide a basic level of protection for their customers' personal data, and if they fail it, they have to notify the government of the problem.

After Mack had held hearings on data leaks at Sony and Epsilon, a bill was promised to be brought in, specifically designed to protect user personal data. Now, if the proposed legislation gets the votes, it will force US businesses to protect their own consumers by at least requiring reasonable security policies and procedures able to protect information containing personal data. But the most interesting part is that the new law will provide for nationwide notice in case of a hack.

The bill is already circulating through the government. For example, the National Journal has revealed that the Commerce, Manufacturing, and Trade Subcommittee of the House Energy and Commerce Committee has scheduled a hearing for tomorrow to discuss the proposal.

Mary Bono Mack is reported to have had an aggressive timetable for pushing the draft through subcommittee and full committee. The reason for the rush is that punters can’t wait and want something done right now.

According to the new legislation, all companies in the United States would be demanded to erase old or unnecessary information. They would also be required to notify the government no later than 2 days after discovering a data loss. This part of the legislation is supposed to prevent wide-spread situations where outdated databases without protection were still kept on the company network, becoming a soft target for intruders.

However, the bill specifies that the companies wouldn’t have to tell about the breach if it’s "an accident". That promises to be quite interesting to see if the companies try and use this clause as a reason for not publicizing their failures. Finally, the law would provide the FTC with the authority over information protection at non-commercial organizations like universities and charities.

Sony Criticized For Lack Of Cybersecurity

The recent hack at Sony has left customers angry and security experts wondering why the company didn’t make basic fixes to its stricken cybersecurity program.

Late last week the hackers managed to compromise a massive amount of users’ personal data from Sony Pictures’ site using a simple technique. Security experts pointed out that the leak indicated how poorly Sony protected its users’ information: its security was bypassed by a simple attack method. The experts say that any website worth its salt should be able to withstand attacks of this kind. Considering that Lulz Security effortlessly managed to steal a massive amount of personal data of over 1,000,000 Sony users, the hackers must be lining up to give Sony a kicking.

Meanwhile, Sony CEO acknowledged the latest intrusion last Friday, claiming that the company had taken steps to protect against further security breaches. In addition, Sony was reported to retain a team of experts tasked to conduct the forensic analysis of the attack. However, Sony didn’t detail what specific action was taken to prevent future intrusion.

Lulz Security uploaded the stolen data to The Pirate Bay to prove that Sony stored its users’ passwords in a simple text file, which can only be called “disgraceful and insecure”.

Affected users blame Sony for allowing the intruders compromise their personal data, saying that such attitude showed little respect to the customers. Moreover, the company even failed to notify the users about the breach, which occurred several days ago.

Experts of the Cyber Consequences Unit of the United States, a research group engaged in monitoring online threats, were emphatic when asked whether people’s passwords could be stored unencrypted: they simply replied: “Never”. Passwords should always be hashed, so the companies should use some kind of encryption. U.S. Cyber Consequences Unit’s experts, who have been critical of the company’s security earlier, claimed that it needed to revise the methods used to safeguard the users’ personal information. Both Sony customers and security experts recommend the company to press the reset button on their cybersecurity program before another breach happens.