OK, it may be hyberbole, but since 91% of data breaches are caused by successful spear phishing attacks, it's not entirely crazy to say: "security awareness training your users or go to jail..." :-D
This new-but-old U.S. bill introduces prison time for execs who conceal data breaches, and it's not the first time senators try to regulate breach disclosure.
It's the second time a bill with this name has been introduced. Four senators, including Nelson, tried to push a previous version of this bill in 2014, during the Obama administration, but failed to get the support they needed.
The 2014 bill came shortly after the Target and Neiman Marcus breaches, and its main objective was to force companies to store data in a more secure manner and ensure all customers receive breach notifications in due time.
This new bill comes as a response to the recent Uber debacle, where the company paid $100,000 as hush money to two hackers to keep quiet about a security incident that took place in late 2016. The company came clean about the breach a year later, after a change in management, revealing that hackers stole details for almost 57 million drivers and customers.
Execs who hide breaches risk going to prison
The new Data Security and Breach Notification Act includes verbiage that will fine company execs if they intentionally conceal a breach, punishing culprits with fines and a prison sentence of up to five years.
Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both. [Page 37]
But this is not the bill's main purpose, even if some users would find comfort that some overly-paid executives will see the inside of a jail cell if they screw up.
The bill's main purpose is to homogenize data breach notification laws across US states. Currently, each US state forces companies to disclose breaches in a different manner, while some states don't even have such laws in the first place.
More at Bleepingcomputer: https://www.bleepingcomputer.com/news/security/new-but-old-us-bill-introduces-prison-time-for-execs-who-conceal-data-breaches/
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you step your employees throuigh new-school security awareness training to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: