TECH
02/24/2014 05:18 pm ET Updated Feb 24, 2014

New Law Would Force Companies Like Target To Report Hacks Quickly

Mark Wilson via Getty Images

Following criticism that Target and other retailers have been slow to publicly report attacks, Attorney General Eric Holder on Monday pressed for a new federal law that forces companies to quickly disclose when they get hacked.

Holder called on Congress to pass a nationwide standard that forces businesses that suffer cyber attacks to notify customers when their data falls into the hands of cyber criminals.

“This would empower the American people to protect themselves if they are at risk of identity theft,” Holder said in his weekly address. “It would enable law enforcement to better investigate these crimes -- and hold compromised entities accountable when they fail to keep sensitive information safe.”

Target has come under fire after taking six days to admit publicly that hackers accessed more than 70 million customers' personal information in December. Neiman Marcus waited nine days after learning that it also had been hacked in January.

Consumer Watchdog, a consumer group, has claimed the retailers may have delayed reporting the breaches to not disrupt sales during the holiday shopping season.

Both retailers denied such claims and said they waited because they were still investigating the breaches and closing security gaps.

But the attacks were first revealed not by the companies themselves but by a cyber-security blogger, highlighting how businesses are often slow to acknowledge cyber attacks to customers -- if they do so at all.

Companies stay quiet about getting hacked for many reasons. They have stock prices and reputations to protect, and their lawyers advise them to remain silent in the face of potential lawsuits.

Target said that sales dropped significantly after the company disclosed the breach, and its stock has recently traded at 52-week lows.

Waiting to admit cyber attacks deprives customers of valuable time they could spend taking steps to protect themselves from fraud, experts say.

"When you are a victim of a hack attack, time is of the essence in terms of how you react," said Tom Kellermann, the managing director of cyber protection at Alvarez & Marsal, a professional services firm.

"There have been many instances where corporations have waited months to report that a breach occurred, and during that time, identity theft cases have dramatically grown in number," Kellermann said.

While Target and Neiman Marcus initially waited days before going public, many companies take longer or never admit getting hacked. At least six other retailers have also been attacked with the same piece of malicious software used in the Target attack, but have not disclosed the breaches publicly, according to IntelCrawler, a cyber-security firm.

Nearly every state has a law mandating that companies tell customers when their personal data has been compromised. But the laws give companies significant leeway, allowing them to take several weeks to investigate before disclosing a data breach. Laws in Wisconsin, Vermont and Florida give companies 45 days from when they first learn about a cyber attack to notify customers.

In the wake of the Target breach, a group of Democratic senators last month re-introduced legislation that would create a nationwide standard for companies to quickly notify consumers if their personal data was stolen. But similar bills have failed to pass in the last two sessions of Congress.

In addition, Sen. Jay Rockefeller (D-W.Va.) said last year that guidelines issued by the Securities and Exchange Commission that called on publicly traded companies to disclose cyber attacks to investors have been “insufficient.”

Companies are often not just slow to admit cyber attacks to customers and investors. They are also reticent to notify law enforcement, frustrating many federal prosecutors.

“Corporations may wait days or even weeks and months, or never disclose the attacks at all, for fear of exposing proprietary information,” Preet Bharara, the U.S. attorney for the Southern District of New York, wrote in a 2012 New York Times op-ed. “But doing so makes it much harder to identify the perpetrator and prevent future economic injury.”

In an interview with The Huffington Post last August, Bharara said that silence from hacking victims “is still an issue.”

"It's not just a law enforcement problem; it's a corporate culture problem also," he said.

CONVERSATIONS