Proposed bill could fine companies millions for poor online security

September 9, 2011 By Mike Flacy

Companies like Sony may soon have even more incentive to try and keep their subscriber information safe from malicious hackers. A bill introduced this week lays out potential stiff penalties for negligent companies.

According to the New York Times, Sen. Richard Blumenthal of Connecticut proposed the Personal Data Protection and Breach Accountability Act of 2011 this week in order to hold businesses accountable for data breaches that put customers at personal or financial risk. This bill is directed at companies that have more than 10,000 users or customers and require the businesses to implement specific security measures as well as have a response team in place for any future intrusion. If the bill is passed into Federal law, the Justice Department will be able to levy fines of $5,000 per violation per day up to a stiff maximum of $20 million per infringement. In addition to the fines, the law could be utilized by users to sue any company that doesn’t take proper precautions.

Beyond the penalties directed at companies with poor security, the bill also increases the penalties faced if caught participating or profiting off phishing attacks. Under the new law, a convicted phisher would face a $1 million dollar fine as well as 5 years in Federal prison. This bill makes installing any piece of software that collects personal information without the user’s expressed permission a criminal act. In addition, the bill would make the practice of rerouting search results for financial gain a criminal act, often practiced by less than reputable Internet service providers. Anyone participating in these actions faces the same penalty as phishers.

Blumenthal was a particularly vocal critic of Sony during the data breach earlier this year, a breach that put data from over 77 million users in jeopardy. During the investigation into the breach, the senator continually went after Sony’s Jack Tretton to find out why it took Sony six days to inform users of the data breach. The network outage is rumored to have cost Sony over $170 million and the company is currently in a legal battle with an insurance company over the exorbitant costs of the hack.

Showing 4 comments

TuEKiD at 5:52am 12th September 2011 I don't think this Senator has any clue what so ever what he's talking about. Companies can get hacked no matter how complex their security system is. Just ask the US government, they will tell you all about how China attacks our nation hourly (or will they?). Fining phishing, yes good idea, charging companies for something that is nearly out of their control, no terrible idea; forcing companies to implement security should be mandatory, but they should not be fined when a hacker gets in.
fairlane32 at 8:07pm 10th September 2011 Oh, and as an example, digitaltrends doesn't show your profile on a secure page when you go to edit it, your email is shown in plaintext, as I'm sure the password fields are. Obfuscated yes, but are they stored on their database encrypted? This is easy to exploit, and even easier to secure via https. Lets not forget that another commenting system (Gawker network) was breached and over 70,000 accounts with emails and passwords were stolen. DigitalTrends being lazy?
fairlane32 at 8:03pm 10th September 2011 @aerobat. Good luck trying to catch and prosecute those criminals, but I'm sure the feds are keeping track. In the meantime, companies shouldn't get a free pass, they ought to be liable. I think its a good start to address companies, who are too lazy to implement simple server security measures at the cost of the company to millions in loss, just because they were too lazy. Maybe now they will wake up. A couple of wrinkles need to be ironed out. Define "specific security measures". Also, what if its determined that the company did have counter-measures in place, and there still was a breach, is the company liable then? Why?
Aerobat at 10:33am 10th September 2011 The article has no link to the proposed bill, nor does Senator Blumenthal's website (Or Google searches) so it's tough to make a fair evaluation. I sure like the idea of clamping down on Phishing abuse. But while it sounds nice to hold companies responsible for carless handling of private information, the actual criminals are the ones that take the information.I don't know how we can penalize the companies when the government is doing very little to catch the criminals. In fact, They seem to foster Phishing. When employees at the DOE voluntarily formed and ran "HoaxBusters" years ago, they were posting excellent news and alerts about SCAMS, Viruses and Phishing. Even though it was run by DOE volunteers on their own time, the Bush administration made them take down the site. It was almost like they wanted the Scammers to succeed.So without some government enforcement, it would seem like the companies would be hard pressed to protect themselves. Maybe this is all contrived by the lobbyists from McAfee and Symantic.I suppose we will know more when we can read the actual proposal the Senator submitted.