Obama to Propose New Legislation for 30-Day Security Breach Notification

From a technology perspective, if 2014 were to get an official label it might possibly come down to the year of successful data hacks. High-profile breaches including Target, Home Depot, and Neiman Marcus were upstaged by the 2014 finale, with Sony Entertainment taking home the trophy as the clear winner.

At the time of the Sony attack by North Korea, I suggested that legislation needed to be put in place to ensure that customers were protected and companies held accountable for poor security. As we've seen, even with Sony, damages could've been avoided had the companies just practiced security practices that already exist.

EXTRA: Incidentally, a week after Sony's attack went public…the company finalized a contract for patch management technologies that had been sitting, unsigned for months.

So, it's great to hear today that President Obama will be proposing legislation to enforce communication policies for companies that have been hacked. According to the proposal, companies must inform customers within 30 days of a data hack. Today, with no mandate in place, companies can take as long as they want before making data intrusions public, with most of them using the time to bolster their PR positioning instead of focusing on customer risk. Setting a 30 day shot-clock will hopefully force companies to make quicker decisions to react to data loss and security breaches.

We won't know the details of the proposed legislation until January 20^th, when President Obama delivers his State of the Union speech for 2015 – which is kind of a PR move on its own since there should be literally no one that would lobby against such legislation. But, let's hope there are repercussions should the letter of the law not be followed. The Health Care industry recently fined an Alaskan Health organization $150,000 for not having its systems fully patched after a breach. I believe that the only way to ensure another Sony, Target, Home Depot, or Neiman Marcus doesn't happen again is to hit them where it counts – their bottom line. The threat of a stiff fine should do the trick.