Senator Patrick Leahy of Vermont has responded to the massive loss of data by the Educational Credit Management Corporation by vowing to hold Congressional hearings and introduce new legislation to better protect personal information.
Although the Senator has repeatedly introduced a data breach notification bill in past sessions of Congress, the bill became outdated after its first introduction and didn’t improve with subsequent re-introductions. As a result, Senator Leahy will be introducing a new bill, the “CORE Security Act” when the Senate reconvenes after recess. CORE Security (Cut Out Ridiculous Excuses in Security) will require all entities holding personal information on more than 10 individuals to encrypt data. Other provisions of the bill will prohibit employees from removing sensitive or personally identifiable information from the office on portable devices and will require entities to notify individuals of any breaches within 30 days. Unlike previous legislative proposals, a breach will be defined as an intrusion into a system, even if no sensitive data are accessed or acquired.
“Enough is enough,” the Senator said in a statement e-mailed to this site. “We have been sitting around doing nothing and it just gets worse and worse. It’s time for Congress to act in a partisan manner, and I intend to lead the charge.”
In other headlines today, the dedicated researchers at Sophos report that they are rolling out a new approach to protecting data: distracting hackers once they get inside your network. “Protection by Distraction” capitalizes on the distractibility of Asperger’s-prone hackers by providing them with romantic fiction that will keep them busy for over an hour:
“It was certainly a surprise to find that romantic fiction successfully distracts hackers from their purpose, but when we thought about it, all became clear,” said Carole Theriault, senior security analyst at Sophos. “Basically, the security industry as a whole has missed a trick, and that is exploiting the Achilles’ heel of hackers. They’re human, just like the rest of us. And if you give them something titillating to peruse, they can’t restrain themselves. It’s a little like luring a mouse into a trap: they may sense the danger but cannot resist a little morsel of cheese.”
As Graham Cluley explains on his blog, Sophos is seeking input from the security community to help them develop the distractors.
Expect these stories to be updated tomorrow.
Update of April 2. Well, yes, it was all in fun. Hope you had a fun April Fool’s Day.