Network News

X My Profile
View More Activity

Bill Would Criminalize Failure to Report Breaches

Legislation introduced in Congress by a key House lawmaker envisions prison time and stiff fines for officials at companies that fail to inform law enforcement when a digital break-in jeopardizes consumers' personal and financial data.

The Cyber-Security Enhancement and Consumer Data Protection Act of 2006, introduced this week by House Judiciary Chairman James Sensenbrenner (R-Wis.), would punish companies for failing to notify the Secret Service or the FBI of an electronic database breach if that archive holds information on 10,000 or more people or data on federal employees. Under the bill, violations would be punishable by fines and prison sentences of up to five years.

Laws like California's SB 1386, which require businesses to disclose when data breaches could expose consumers to identity theft, have prompted a flood of reports over the past couple of years from companies that somehow lost control over their customers' data. chronicled more than 100 such disclosures in 2005. With some 28 states having now enacted some form of data-breach notification laws -- and with similar legislation pending in more than a dozen other states -- 2006 is likely to be an even bigger year for such announcements.

But even with all these disclosures, businesses that experience digital break-ins do not appear any more willing to notify law enforcement. The results of a survey released last year by the FBI and the Computer Security Institute indicated that only one in five businesses that faced digital intrusions reported them to law enforcement.

Still, I have to wonder whether the FBI and the Secret Service would want, or even be able to handle the increased workload should the percentage of reporting companies suddenly increase. I'm sure a greater number of data points on break-ins would be useful to law enforcement analysts, but just from conversations I've had with several knowledgeable sources, it seems many FBI field offices already are up to their ears in these kinds of cases.

Sensenbrenner's bill would add another $10 million toward the cyber crime operations of both agencies, though it is hard to say how far that money would go.

Mark Rasch, a former Justice Department computer-crimes prosecutor and a senior vice president for security consultancy Solutionary in McLean, Va., said the Sensenbrenner bill reflects the government's long-held view that it can get a better handle on crime by having more reporting from victims.

"The government has a tendency to believe that it could prosecute more cyber criminals if only more crime were reported," Rasch said. "On the other hand, people in the private sector constantly complain that the government never does anything with the stuff they do report, so why bother?"

The FBI has officially placed catching cyber thieves among its top three priorities, and in the past six months we have begun to witness the results. Earlier this week, the Justice Department won its first case against a domestic botnet operator, securing an unprecedented sentence: 21-year-old California resident Jeanson James Ancheta was given 57 months in prison for using viruses to hack into and remotely control hundreds of thousands of personal computers.

Last week, prosecutors secured a guilty plea from 20-year-old Christopher Maxwell of Vacaville, Calif., who admitted using a botnet that led to computer malfunctions at a Seattle hospital and did more than $135,000 worth of damages to military computers.

These types of prosecutions, while laudable and necessary, are unlikely to affect the operations of cyber criminals much higher up in the fraud chain -- the foreign spam sponsors, software pirates, illicit data brokers and identity thieves who ply their trade with the help of these ubiquitous bot networks.

The ugly truth is that U.S. law enforcement will not begin to make significant progress in preempting and/or punishing cyber criminals until it can convince more nations that it is in their best interest to help battle online crime. U.S. law enforcement officials can gain valuable anti-cyber-crime muscle abroad via existing mutual legal-assistance treaties and through FBI agents stationed at U.S. embassies abroad, but those contacts only go so far. In countries where many of the world's biggest cyber criminals currently reside -- China, Russia and several Eastern European and South American nations -- an unholy mix of factors exacerbate the epidemic: rampant poverty and corruption; little chance of getting caught; a disdainful view of American culture, arrogance and wealth; and comparably little investment in the international infrastructure that supports the global Internet.

Until some of these factors begin to change, the bulk of the world's most-wanted cyber criminals will remain safely ensconced in regions that are largely beyond the arm of domestic law enforcement.

By Brian Krebs  |  May 11, 2006; 4:48 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Your Spycar Ran Over My Dogma
Next: Apple Update Mends Dozens of Security Flaws (Windows Users Read This Too)


I'd like to see ISP's offer to their customers, an option to block all traffic, including e-mails, from these crime-ridden countries and regions: China, Russia, Eastern Europe, Central & South America.

I have no interest in doing business with, or seeing any content from persons in those regions. Thus, the only traffic I am likely to see from these areas would be threats by cybercriminals.

Posted by: Ken L | May 14, 2006 3:53 PM | Report abuse

That would be nice, but most spam is delivered by bots, many of which are broadband users in the U.S. unaware of their involuntary participation in the global crime infrastructure. Blocking IP addresses in those countries would do little to slow the onslaught of phishing and other attacks.

Karl Fox
Lithik Systems

Posted by: Karl Fox | September 5, 2006 10:47 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company