Intersections’ Consumer Security Advisor Neal O’Farrell shares his thoughts on the recent cyber security plan proposed by the White House.

In an effort to stem the seemingly endless flow of data breaches exposing personal information to thieves and other risks, the White House is floating a cyber security plan that includes a new Federal standard for how a breached organization or business should respond. And while almost every state in the nation already has some sort of data breach law, this is the first time that a single, federal law has been proposed.

Here are some of the highlights:

• Under the proposed legislation, a breach would be defined as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.”

• Any organization, for profit or not-for-profit, is covered by the legislation if it collects or stores personal information on more than 10,000 individuals over a 12-month period.

• Any breach discovered must reported to the Federal Trade Commission within 60 days of discovery, but breached organizations can be granted an extra 30 days.

• Healthcare organizations would not be covered because they are already covered by pretty comprehensive data breach legislation.

• Some organizations could be completely off the hook in the event of a data breach. For example if the organization conducted a risk assessment that concluded there would be no harm done to the individuals whose information had been exposed or stolen; or if the information had been protected in such a way, like encryption, that it would be of no use to the thieves.

• Civil penalties would be capped at a very low $1 million.

• Data covered by the legislation includes the obvious, like names, addresses, account numbers, passwords and Social Security numbers, but doesn’t seem to include email addresses.

Now while this legislation so far is just a proposal and could be altered, it does seem to be a very weak response to a major security problem.

For example:

• Capping civil penalties at $1 million seems too generous to the offending organizations and does not really punish the most egregious of breaches.

• While the legislation requires that a breached organization must notify the credit bureaus, there’s no mention of whether they must identify to the bureaus which consumers have been affected and what the bureaus should do. So I assume the bureaus will do nothing.

• Because there’s no mention of email addresses as sensitive data, it could mean that some of the biggest data breaches, like the recent Epsilon breach that exposed tens of millions of email addresses, would not be covered by the legislation.

• Up to 90 days to first notify the public seems too long. I understand the need for breached entities to learn as much as possible about the breach but they could easily make a “qualified” early announcement. The legislation should incorporate that.

• There’s no free credit monitoring provision, which means that’s entirely at the discretion of the breached entity. There’s also no education provision and no long term support provisions. We know that many thieves will hang on to data for months after the event, waiting for the fuss and attention to pass. That leaves victims on their own when the thieves finally try to launch their “liquidity event” and cash in the stolen data.

• And I can see all kinds of problems, delays, and even deceit over the ways organizations determine whether the exposed or stolen data can harm victims. Shouldn’t victims have a say in that determination?

In summary, I think the White House is obviously seeking to create a clearer and more defined way for breached entities to respond, but so far they seem to be letting these organizations off way too easy. We’ll see if they change the mind, or maybe read this blog post.

Note: Read what other security experts say about the proposed Federal data breach policy in this article on BankInfoSecurity.com.

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.

The Daily Shield is pleased to publish another article in a regular series on the causes of identity theft written by Neal O’Farrell. Neal O’Farrell is a nationally recognized expert on cybercrime and identity theft. Once described as one of the world’s Top 20 security experts, Neal was the driving force behind a number of national security awareness initiatives, including Think Security First, a non-profit partnership between Chambers of Commerce and cities across the country to improve cyber security education at a community level.

In today’s post, Neal questions whether or not consumers are doing everything they possibly can to protect themselves, online and off.

Today I received an email from my friends at the Anti Phishing Working Group (APWG) announcing the findings of a study the conducted with the National Cyber Security Alliance (NCSA), all as part of their build-up to National Cyber Security Awareness Month in October.

A number of their findings caught my eye. For example, according to the study:

• Consumers are concerned about their own security and safety and are ready to learn more. While they know there are things they need to do, they don’t have the information they need (for a variety of reasons) – and they want to be educated (90%).

• They feel the importance of taking actions to be more secure and safe on line for themselves and their family (96%).

• A majority of those surveyed (61%) feel that online safety & security is under their control.

Now while I have the greatest respect for both these organizations, my experience in working with consumers and end users for a few decades, and especially the last few years, paints a slightly different picture.

I find that most consumers will tell you without hesitation and that yes, they’re worried, and yes, they want to do more, and yes, that security is their their responsibility.

But when the next question is “Well, what have you done lately to protect yourself?” the response is usually silence. Because in spite of their protestations, most consumers are still doing very little to “actively” protect themselves.

For example, most computer users will tell you they have a firewall installed on their computer, but will shrug their shoulders if you ask them when was the last time they checked the firewall was actually turned on. They know where to get a credit report, but most will check their reports no more that once a year.

The report also mentions that consumers don’t have the security information they need, which is the purpose of the announcement. The APWG and NCSA are announcing the launch of yet another awareness campaign and yet more educational materials, which suggests to me that they understand little about the problem.

The web is awash with security information and advice for consumers, on every conceivable threat, for every possible audience, and in every possible format – web sites, brochures, books, Flash tutorials, videos, newsletter etc.

We don’t need any more educational materials. What we need are better ways to remind consumers as often as possible – like every day – to think security first, and think security now!

Security awareness is not about being aware a threat exists. It’s about being vigilant at the very moment it matters – when you receive an email and about to open its attachment, when you’re surfing and about to visit that unfamiliar site, or when you’re on Facebook and about to accept that new friend request, Farmville gift, and great new video.

It’s more about communications than it is about content. Until we accept that and look at real solutions that address the true problems, consumers will still continue to make themselves vulnerable.

Keep informed about the latest threats to your safety. Join our Facebook group.

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.