Since I last reported on the Citigroup data breach, the bank has admitted that the number of customers affected was around 360,000, about 80 percent more than they originally reported. These types of revelations are now pretty commonplace after data breaches, as firms burned by hackers often prioritize damage control over truthful disclosure.
Of course, the problem with that approach is that customers whose data have been snatched by hackers often aren't informed until weeks or months after the fact, which may put them at greater risk of identity theft. While a lot of states have laws on the books forcing financial institutions to report data breaches to consumers in a timely manner, the differences between state laws has created a difficult-to-comply-with patchwork of laws. As of right now, we don't yet have a similar national law in place to address situations like the Citi breach.
A couple of bills winding their way through Congress seek to change that. In the House of Representatives, Rep. Mary Bono Mack (R-Calif.) has introduced the Secure and Fortify Electronic Data Act, or SAFE Data Act, and in the Senate, Sen. Patrick Leahy (D-Vt.) has reintroduced The Data Security and Breach Notification Act of 2011.
Both bills would require institutions to adopt a minimum level of security and to inform law enforcement and customers about data breaches in a timely manner. Both also call for fines and other sanctions against firms that fail to comply.
What do you think? Should government be keeping a closer eye on how banks and other institutions manage our financial information?