US bill mandates penetration tests

By

Introduces big fines for breaches.

A bill introduced in the US Senate would force businesses to conduct mandatory risk assessments or face hefty fines.

US bill mandates penetration tests

The bill (pdf) sought to quell the rising incidence of data breaches by requiring businesses follow guidelines for the safe storage of data

Violators would face fines exceeding US$5000 per infraction each day, and up to US$20 million for each violation.

Additionally, consumers affected by violations of the law would be able to file civil actions against the firm in question.

The 100-page measure called the Personal Data Protection and Breach Accountability Act of 2011, would require businesses with data of more than 10,000 customers to implement privacy and security programs to ensure the information is protected.

As part of the programs, businesses would be required to conduct risk assessments and regularly conduct vulnerability tests on key controls and systems.

“My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised,” said US Senator Richard Blumenthal, who introduced the bill.

The bill would force businesses to notify customers “without reasonable delay” when their data has been breached and offer victims two years of free credit monitoring services.

The bill is just one of several introduced this year in US Congress that tackled with privacy issues.

“It's apparent that Congress is increasingly concerned about privacy issues,” said International Association of Privacy Professionals chief executive Trevor Hughes.

While privacy bills typically aimed to give consumers options about data use, Blumenthal's bill centred on accountability, he said.

“That development might be well received by many in the privacy community,” Hughes said.

A law that “harmonised” the patchwork of existing state privacy and data security requirements would likely be helpful to businesses and widely supported, according Andy Serwin, chair of the privacy practice at US law firm Foley and Lardner.

“If we are going to have comprehensive legislation at the federal level, careful thought would need to be given on how that integrates with what states have already done,” Serwin said.

The bill was referred to the Senate Judiciary Committee for review.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?