- The FBI director said last year that cybercrime threat will equal or surpass threat from terrorism
- Federal law doesn't offer any standard for companies to notify customers following breaches
- AG Holder releases a video message calling for congressional action
- He wants companies to be required to more quickly alert customers
Attorney General Eric Holder is calling on Congress to require companies to more quickly alert customers when their personal information is put at risk in cyberbreaches.
In a video message Monday, Holder says "a strong, national standard for quickly alerting consumers whose information may be compromised ... would empower the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes -- and hold compromised entities accountable when they fail to keep sensitive information safe. "
Federal law currently doesn't offer any standard for companies to notify customers following breaches, though some states have notification laws. Many companies are wary that public notification will hurt their business.
Proposals in Congress to require a uniform notification and security standard have languished for years.
Support for one bill proposed by Sen. Patrick Leahy, D-Vermont, has grown in the wake of the massive breach of retailer Target, which Holder says compromised personal information of up to 70 million people, including credit- and debit-card data of 40 million Target customers.
Leahy's bill proposes to do much of what Holder is asking.
Holder's proposal in some ways contrasts with how law enforcement has dealt with past breaches.
During past cyber break-ins, investigators have asked companies to not immediately make the information public. In some cases, cybercriminals are known to return to exploit the vulnerabilities, and investigators may be able to gather evidence as new breaches occur.
The rise of cybercrime in recent years has alarmed U.S. officials. One well-regarded report on data breaches produced by Verizon says there were 621 confirmed breaches in 2012, and that many breaches go unreported. Federal Bureau of Investigation Director James Comey told a Senate committee last fall that soon the cybercrime threat will equal or surpass the threat from terrorism.
The Obama administration has come up with legislative proposals to better defend the country from cyberattacks but that effort has largely been shelved, a casualty of the controversy surrounding government surveillance after disclosures by former National Security Agency contractor Edward Snowden. The NSA would be a lead agency in any national cyberstrategy, and the agency is politically damaged post-Snowden.
One criticism of mandated notification is that the number of such reported crimes could overwhelm law enforcement. Holder, in his video message, says any legislation should also provide exemptions for minor breaches.
Holder says the breach at Target and another retailer Neiman Marcus around Christmastime last year shows the need for better tools for law enforcement.
"This legislation would strengthen the Justice Department's ability to combat crime and ensure individual privacy -- while bringing cybercriminals to justice," he says.