Slashdot Mirror
The Data Accountability and Trust Act (DATA)
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
It's about time a law like this was enacted.
On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.
____
~ |rip/\/\aster /\/\onkey
Tax payers get to pay for yet another government audit agency (or group within an agency FTC) that audits companies. Boy the IRS isn't a bloated piece of shit or anything. I guess someone has to make sure the govt can fine people/companies.
It's certainly about time they did something. But, I'm sure loopholes will easily be found as soon as the campaign contributions start rolling in. Also, I assume everyone noticed the acronymn. It reminds me of Gnus Not Unix.
Similar to the upcoming US election results
Does this law apply if my privacy is violated due to a breach of law done by a government agency?
Oh, wait...
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Finally! Recursive Acronyms become mainstream!!!
Data Accountability and Trust Act (DATA)
GNU's Not Unix (GNU)
I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.
So, does this mean Equifax is required by law to tell me someone else is using my social security number?
How the hell would you know if this law was ever broken if they don't tell anyone?
Question everything
Why the god damn FTC? They are a worthless bunch idiots, not that congress isn't full of those.
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
Such a law won't pass. It't too anti-business.
Now the government is using recursive acronyms? I thought that the FSF had a patent on that...
But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.
The nice thing about a law like this is not that we'll be informed, but rather that companies will be more cautious with the data, knowing that they'll HAVE to inform us if they screw up.
Less laptops flying coach with 20,000 credit card numbers in an excel spreadsheet on it. (My next door neighbor got a nice paper-mail note from an company that let a laptop get snatched just last week.)
Let us count the ways:
1) amendments
2) exceptions (gov't, big business, telcos)
3) loopholes
4) unclear/incomplete definitions
5) enforcement (is the FCC the best choice?)
6) insert your scenario here
It sounds good, but the devil (as usual) is in the details.
uR iGn0ranc3, Their Power
We've had all these reports in congress about how unprepared the nation is for cyberwar. This seems like one pretty good market based approach to increasing our preparedness (though others may be necessary). If companies have greater risk exposure for insecure data, they have a greater fiduciary responsibility to secure it. A simple solution that Adam Smith could be proud of.
Stop-Prism.org: Opt Out of Surveillance
They are the ones that eat up all of the cheap, easy credit which is why credit card security precautions are such a joke. There are companies that have reported that the standards are so lax that you could rip up a credit card application, tape it back together, mail it in and still get a credit card. Why? Because the modern American dream is not about freedom, but material possessions and you cannot afford a lot of the really nice things without a very good job or a lot of cheap credit.
I'm curious as to what will be defined as "personal data." Email address? What about MRU lists or cookies? Also what's the definition of "notify." Does it count as notification if the company puts a one line blurb at the bottom of it's website? This legislation may be utilitarian in spirit, but I fear the letter of the law will change little. Business as usual...
Did they actually come up with a recursive acronym? is there a geek advising them? there's hope!!! WHEE!!!
DATA = DATA is not an Emulator!
Nick
At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.
What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.
Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.
What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
Now in addition to PIN Numbers and ATM Machines, we'll have the DATA Act.
It is poor form for the acronym to spell one of the words in said acronym. They should have named it the "Data Accountability Means Integrity and Trust" act: DAMIT
If a baby duck is a "duckling," why would anyone want to eat "dumplings?"
[Fuck Beta]
o0t!
Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.
.tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected .zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.
They suggested that I simply attach the
I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.
Free The Lapland Six!!!
http://www.whatiwore.com
What I wore, now with 100% more pool project!
Any way to mod the article summary down as redundant? There's 4 sentences, and 3 of them say the exact same thing.
Conversation as recalled by Ms. Jones:
Voice on the Phone: Hello, Ms. Jones.
Jones: Are you a telemarketer, that's illegal.
VOP: No, I am calling from a company that holds some of your most personal data.
Jones: Oh.
VOP: Yes, I need to inform you that I'm not wearing security breaches.
Americans report rash of obscene phone calls, news at 11.
Seriously, I see why the author stayed anonymous. (Before you bring up the point of my posting anonymously, it's only for lack of an account. So there.)
the fines you suggest could easily ruin the company.
OR... the company might take the steps necessary to protect itself and its shareholders by bothering to protect the credit card numbers.
If you've got a better way to convince companies to behave, the entire world is all ears.
PICARD: What's the problem, Mister Data?
Data turns to them.
DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.
They react. Data indicates the phishing email on the screen. They walk up to it...
DATA: It is the flashpoint of a privacy invasion. And it is expanding.
PICARD: Expanding... I thought phishing scams were suspended on this ship?
DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.
TROI:Why didn't we notice it before?
DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.
PICARD: Is there any way we can stop it?
DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.
Picard stares at the screen for a long moment...becoming very thoughtful...
PICARD: Astonishing... to see our identities stolen like this...
He who knows best knows how little he knows. - Thomas Jefferson
A smaller business would have fewer customers and therefore not have to spend as much. Any business where sending a form letter to customers is a prohibitively high cost is probably sick and likely to go under anyway.
Given that it can take up weeks or months to clear up your credit history and potentially costs thousands of dollars if someone uses your information to open fraudulent accounts, I don't think it's unreasonable to ask companies to send a letter when they fail in their legal obligation to protect their customers personal information.
Dear PrvtBurrito,
We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:
[Click here to update your account]
If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
Thank you for using PayPal (or whatever service is being spoofed)!
Laboratree - Scientific collaboration based on OpenSocial.
But only customers? What about all these mega-companies that banks hire to do their clerical work? Technically, we're not their customers, so they'll obviously try to claim that.
Sorry, Mario, but our legal solution is in another castle!
As a cynical American, I wonder what sort of riders are tacked onto this bill. In an administration where national ID card legislation is tacked onto a military spending bill, I wouldn't be surprised if we're signing ourselves into slavery here...
I am scientifically inaccurate.
They can't pass that, the acronym will result in infinite recursion and the government will crash!
This is a step in the right direction, but I'd like to see them held more accountable through stricter penalties. How about fines to fund those audits (make them pay to get audited? I like the irony), or better yet, refund people for all they're going to spend in both time and money when their identity is stolen?
All govt agencies are exempt from obeying the law.
Is it just me, or do these legislators spend more time thinking up clever titles that spell out words than on the actual content of the bills?
More here. Legislation in this vein has been in the works for some time now, and this may be the best shot at getting anything passed this year. Still, that said, with the crypto exemption, I question the bill's true worth.
... What's tacked onto it? (No, I didn't RTFA.) This sounds like one of those seemingly innocuous bills that the **AA might push through Congress to once again "promote creativity," a.k.a. give consumers the chokehold.
Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
corporate regulation is understandable in light of dicks like Enron, but it's very very expensive for businesses. Boo-hyphen-hoo, you may say. However, if it costs more for a company to operate, they'll charge more. It'll cost you more as a consumer.
It could be argued that Sarbanes Oxley and the raft of other regulation is overkill. You might argue that companies should have some damn sense of what's right and what isn't, without needing to be regulated down to the tiniest level.
Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...
The government does get things right from time to time, and this is one of them.
Right now, a disgruntled employee of a banking, credit or other corporation that has possession of your social security number, can sell your info on the street and the company has no liability or mandate forcing them to tell you of the breach once they become aware of it (which they will when 1000+ customers suddenly transfer all their money to an account in Poland). The onus is currently on the customer to notice the problem, report it, and then argue and plead for them to fix it (with the customer thinking this is an isolated incident when it is not). With this law, the customer will no longer have to argue the case, as the company will be forced to reveal the breach and make it right.
If you want to gripe about paying too many taxes, write your senator that you're sick of paying for $500 hammers and $10000 toilet seats. But this law is a keeper and about 30 years late in coming.
Encrypting your data in bulk is not a bad security measure. However, if the breach does not involve the mass theft of encrypted data files, but rather a break in normal access methods, the encryption does not provide any protection at all.
You still have to deal with "trusted user" abuse as well as protecting the API that allow normal decrypted access to the data.
Imagine being the systems/database admin who has to report a data loss to management.
Management will have a very hard time understanding that data could be lost even though it was encrypted. Will they understand that they will be required to report this loss despite the encryption security measure?
This is similar to a firewall providing security, even though most of the ports are wide open.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.
--
make install -not war
Somewhere at the bottom of the EULA that nobody can read? Encrypted in a billion lines of legalese that makes your eyes water and is essentially unreadable to the normal human being?
I'm not even concerned about the various loopholes and excemptions that this bill will most likely have (I have to admit, I did not read it. Nor is it worth the time reading it 'til it's passed for the simple reason that if it COULD present a benefit against spyware in software it WILL be changed). Even without loopholes it's pointless as long as the customer is not informed in a separate EULA-like info field, in laymen's terms, what is going to happen to his PC!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
what about breaches that take place outside of US borders, since so much is outsourced overseas? If a breach happens outside of US borders, do they still need to tell? (Of course they should, but yet another possible loophole)
Problem with most corporations, and Congress, is that the people in charge usually don't know anything about technology, let alone security. They have no idea what's possible or what should be done. They seem to think it's beneath them to ask technology experts for advice on the subject, so they just slap together some blind legislation and tell everyone it's going to be okay.
I think you misunderstand me. Consider your example:
In this case, 50,000 lives have been affected, possibly rather seriously, by the negligence of some or all of those 50 people. If serious damage has been done to all 50,000 then I am entirely in favour of that company of 50 people ceasing to exist.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What if your privacy is breached by a third party?
A credit card validation service?
An outsourcing campany?
The consumer is not the "customer", especially in the second case.
The US Congress has no mandate in the Constitution offering them any power over consumer privacy or information. The Interstate Commerce Clause was written to give the Federal government power to regulate the states to prevent them from taxing, tariffing or embarging interstate commerce: it was not meant to regulate commerce in any other way.
This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement. If the company won't do business with you, don't buy from them -- if you want a cheap price, you might be willing to forgo this contract feature.
All my customers have in my contract agreement a stipulation that we both will notify the other in the event of identity or security breach. I don't buy anything from anyone without making sure I am protected -- and basic tort and contract law protects me in this case.
Of course this law has nothing to do with protecting consumers but with increasing Congress' control over individuals and businesses and offering a new layer of deterrence for the average person to go into business. We could replace much of the FTC with more realistic tort regulations rather than creating new laws where none are needed.
In my answer, the lawyers would win in the short run but standard contract agreements would put them on the bankburner. In Congress' solution, the lawyers win all around.
We can safely assume that most of these companies adhere to the minimum computer security system standards. The minimum standards are about as good as not having any security whatsoever. What companies can get away with in terms of liability in identity theft is analogous to getting a girl pregnant, then not being ordered to pay child support because you wore a condom (albeit an expired one). Verily, all this act would do is let a customer know they are the victim of identity theft, with no effective method of recourse. Sure, pull all your business/assets from the company, but some guy already has your information. What is needed is a higher standard of computer security within companies which hold sensitive user information, rather than the FTC auditing a company after the customers are screwed-over. Just some more bureaucratic red tape and more tax dollars spent on the appearance of security... err, I mean, keeping the people safe.
"Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
With this the government could attempt to "steal" personal information from private companies. If they're caught, they can say they were "investigating" violations of the DATA Act. If they're not caught, they get all the private info they want.
lexbaby
"Be Brave, Be Loyal, Be True." -- Hawkeye Pierce
. . . also known as the "Corporate Eye-Tee Security Empire Builder Full Employment Act of 2006." They'll milk this for departmental budget and fascist network powers just as with SOX, HIPPA, and GLB that came before.
I too have felt the cold finger of injustice.
So wait, the government does care about our privacy? Hopefully the government feels as strongly about their own data as they do about the data of the companies under them.
Would they inform people when the government breaches their security?
My karma makes buddha cry.
.. an official law with a recursive naming scheme?
This sounds woefully ambiguous. I think it would be better stated "any customers directly". We want to help consumers, but we also don't want to cause great harm to businesses who would have to hunt down all records and secondary relationships to customers who weren't directly affected.
i just put in
If a small company, perhaps 50 people, has a database of even just 50,000 credit card numbers stolen, the fines you suggest could easily ruin the company. That could lead to at least 50 people who are now unemployed, and potentially many more as the effect ripples through the economy.
Its unlikely a buisiness of 50 would have 50,000 credit card numbers. Its also probably not even necessary for them to keep the numbers once they receive their money. Also, the lost of 50 people likely won't have much, if any, effect on the local economy (unless of course there's only 60 people in the town).
obviously you have not filed yet, or you would have noted that:
U.S. Individual Tax Return 2005, Form 1040, Adjusted Gross Income Section, Line 30a clearly states:
"Identity Theft Related Expense, Attach Form 3823"
Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.
The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.
Sounds like a great idea at first.
Then I read the part about the FTC audit.
Joe Government "Hey I need this data I can't legally access"
Bob FTC " No prob, I'll just have a hacker attack the site, then you can have whatever you want"
This will like your credit score, information that's available to everybody /but/ you. haha.
But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.
Now, given that:
With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!
Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier has to say on that).
Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State.
Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
http://freestateblogs.net/node/306
Part of the Second American Revolution!
Clearly, the terrorists have kidnapped the real representatives and replaced them with pod people ! There's no other explanation for this.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Does this only apply to financial data (cc or ss #) ? Or to any data?
let's see:
In California we have a law that requires notification of data privacy breaches. Remember Choicepoint being in the news? That was CA's 'fault.'
In California the law allows people to put a Credit Freeze on their account. Far stronger than a 'fraud alert,' this requires the person to temporarily lift the freeze in order to add new credit. Makes life most difficult for identity thieves. Also makes it harder for new companies (no pre-existing relationship) to offer credit, so the person misses out on those hundreds of "You've Been Approved!" junkmails.
Funny, this new law guts California's law. All these protections will only exist if and after Identity Theft has already happened! Instead of spending, say 15 minutes a month temporarily removing the freeze for business purposes, you'll get to have a freeze during your 200 hours of work trying to repair your ID theft damaged credit. Not just any 200 hours, its 200 hours of talking with bureaucrats and writing real paper letters and constantly scanning to see what your thief has just applied for. And you never truely clean up your record- even if the big 3 agencies have fraud alerts, each store affected will have their own database of how bad you are.
And this 200 hours of brain-breakingly stressful work will all be because you couldn't just freeze your account in the first place. But at least you'll have all those fine offers of credit to read while waiting on hold.
So its funny how the companies that yelled and screamed about California's law- although they comply with it- love this proposed federal law. They ought to love it- they designed it, and are getting the best bespoke law they can buy.
This way, no company would have to safeguard our info, if the keys get stolen, they would be given a new set, we would always be aware of who is looking at our information (shouldn't access to information work both ways?) We could also delete keys so that once we terminate business with a company, we would no longer be part of their pawn farm. If they want to keep the key, they would have to pay a fee.
I'll tell you, the third party company that starts this up will be the richest in the world. Except that it would have to have its database in space to be safe.
bah, as if something that would help the consumer over the enterprise would actually happen. spam me.
Every month their user accounts database gets hacked. Just the amount of paper it will take for them to tell every user their information isn't safe will destroy the rest of the worlds' rain forests.
I agree with your thinking in that there should be some kind of penalty based on the number of affected users. I would go one step further and suggest that there should ALSO be a penalty paid to EACH of those customers. I should not have to wait to find out if my identity is/was compromised. Each breach should entitle each customer to a cash payment of, say, $1000.00.
Insurance companies will have an opportunity to provide coverage, companies will have an incentive to obtain coverage, and the insurance companies will have an incentive to provide audits, tools, etc. to help lessen the need for the policies' benefits being paid.
This could appear as reduced rates for following certain best practices. I have had car insurance policies that had a discount for certain anti-theft devices being installed in my car. My homeowner's policy had a discount for cetain smoke detectors.
If a company doesn't want to deal with the hassle of dealing with an insurance company, they should have the option of self-insuring and posting a bond to cover potential losses.
Further, I would like to have a searchable, on-line resource which provided information on which companies had had breaches, the date of the breach, the number of customers affected, and the amount of the fines, penalties. For additional motivation, include who was the president, CEO, CTO, CIO, (and EIEIO :^) at the time. Hmm, add in who was on the board of directors, too.
That way, the dumping of one company and the creation of another with the same actors could not be used to hide from the consequences of their [in]actions.
(Any suggestions on other info to include?)
Ultimately, this might encourage companies to use data encryption as a matter of course - to the point that it becomes the de-facto norm of how information is stored on a computer. Maybe, with time, to the point where Joe Sixpack's home PC or PDA is secure by default. Given some of the articles and posts I've seen on /., I would like to think that, in some small way, this might help protect citizens from governmental intrusions. Not just in the USA, but set an example that could be followed in other countries around the world.
P.S. What would you do differently if these proposals were in effect and your SOHO computer were compromised? I'm pressed for time right now, but just thinking about this from THAT perspective is already making me re-think how I do things.
...if a breach does occur, a company must notify any customers concerned...
...
A little alarm bell went off in my head when I read that. Put on your tinfoil hat and come with me down business plan alley
1. Start a business; oh, online marketing or something. Doesn't matter, just a shell.
2. Collect "customer" data by whatever means necessary. Email addresses of course, anything else is a bonus.
3. Protect the data as best you can, but at some point, lose ALL the data. I didn't RTWA (whole act) so I don't know if suspected breaches count, but let's say they do. Even better if you don't even have to actually lose any data, just suspect it. Otherwise, you would actually have to cook up some "security breach" or something.
4. Here's the good part - you now have hopefully MILLIONS of customers that you MUST contact BY LAW to alert them to a possible security breach. Sounds like a great opportunity to let your customers know about new improved security products made by "affiliated" companies - they paid me some $$$ and are now fully affiliated.
5. Sell additional ad space on the emails for related items. The emails will have all sorts of official government-sactioned stuff to GUARANTEE that they will be opened and read.
6. Profit !!
7. Try to improve security.
8. Damn those evil haxxorz! They broke in again! Now we have to "notify" all the customers again! Damn!
9. Profit some more...
The DATA protection sounds like a good idea, but I hope there is some protection against this type of scenario. If I can come up with the half-baked idea above, I imagine a bunch of scummy spammers are already frothing at the mouth.
Did any of this happen in California (where a similar law has been operating for 3 years) ?
--
zomg!!1! Custom Ponies!!