Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Data Accountability and Trust Act (DATA)

Posted by ryuzaki0 on from the not-a-terrible-idea-for-once dept.

An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."

5 of 170 comments (clear)

  1. Re:Long Overdue by Anonymous Coward · · Score: 1, Informative

    Fear not! If the data is "encrypted", they don't have to do anything!

    From H.R. 4127

    (1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

    (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

  2. Re:Long Overdue by TubeSteak · · Score: 3, Informative

    This is going to lead to a certain amount of data hysteria once it gets passed.

    Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

    "Your information is unsafe" will become a new media theme, along with "kids shooting up schools", "female teachers sleeping with students" and "pretty white girl goes missing".

    BTW - businesses cannot go around redefining "breach" or "personal information", because the bill defines exactly what those are.

    If you read the text of the bill they've dodged out on specifying some of the trickier parts by using language like "Not later than 270 days after the date of enactment of this Act" to require the definition of certain aspects of the bill. Very poor idea, as it gives the lobbyists something to aim at weakening.

    It's sponsored by a Republican from Florida and co-sponsored by a stack of other R's. Good idea, possibly poor implementation.

    --
    [Fuck Beta]
    o0t!
  3. Re:Exemption... by amliebsch · · Score: 4, Informative
    There's an exemption if they encrypt their data - even if the encryption is lame or broken.

    It doesn't say that! Stop making stuff up.

    The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

    Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.

    --
    If you don't know where you are going, you will wind up somewhere else.
  4. Re:Recursive Acronym! by amliebsch · · Score: 3, Informative

    I don't think it counts as recursive, because the "Data" that is in the name of the act is NOT referring to the acronym "DATA," it's referring to the actual word "Data." To be recursive, an acronym must be self-referential, but this one is not.

    --
    If you don't know where you are going, you will wind up somewhere else.
  5. Re:Unconstitutional and Unnecessary by Ph33r+th3+g(O)at · · Score: 2, Informative
    This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement. If the company won't do business with you, don't buy from them -- if you want a cheap price, you might be willing to forgo this contract feature.

    That's nice in theory, but one of the reasons we have government regulation is to help mitigate the asymmetry of power that prevents individuals from ever negotiating contract terms at all with companies that hold their data, much less terms about privacy. This legislation flows from the same river as the FCRA, FDCPA, and FACTA -- it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.

    --
    I too have felt the cold finger of injustice.