The Data Accountability and Trust Act

An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."

Long Overdue

[TripMaster+Monkey]

It's about time a law like this was enacted.

On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.

Re:Long Overdue

[amliebsch]

It should be implied as interpreted through our Constitution, and amendments, etc.

What? How? You can't just pretend those documents say something they don't. Well, you shouldn't.

We can't publish sensitive data from a major corporation on the Internet, or we would get sued.

What makes you think that?That being said, it should be implied, understood, and common practice to prevent big business from doing some of the things that they should be doing in the first place (privacy violations, overcharging, bastardly interest rates, etc).

What is the advantage to having regulation be "implied, understood, and common practice" as opposed to clearly spelling it out in statute?

Re:Long Overdue

[Hrodvitnir]

Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

Don't worry, after a couple months it will become such a beaten dead horse, everyone will think "Oh, this stuff happens all the time. My chances of having my identity stolen are next to nil." And the notice gets tossed in the trash never to be worried about again.

Across corporate America

[tropicdog]

I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.

Re:So how much is this going to cost?

[Theatetus]

You work for ChoicePoint or something?

Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.

Exemption...

[Olmy's+Jart]

But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.

Re:Exemption...

[Billosaur]

But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.

Even if the encryption isn't lame or broken, it's still data out there on the loose. How long would it take to crack, given all the available information on encryption? There are precious few "uncrackable" encryption schemes and I doubt most major corporations are going to go to those lengths to protect data. From what I've seen behind the scenes, most will use tricks and simple algorithms, figuring it makes the data "mostly" secure.

Re:So how much is this going to cost?

[Anonymous+Brave+Guy]

The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.

If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.

At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.

Definition is everything

[irishxpride]

I'm curious as to what will be defined as "personal data." Email address? What about MRU lists or cookies? Also what's the definition of "notify." Does it count as notification if the company puts a one line blurb at the bottom of it's website? This legislation may be utilitarian in spirit, but I fear the letter of the law will change little. Business as usual...

From The Bill:

[TubeSteak]

http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.412 7:

Sec 5. (1) ...The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised

That's a great clause, even though it opens the door to conflicting expert opinions. They absolutely have to include a reporting mechanism into the law, so that there is a timely way to get the issue heard and resolved.

What's more scary for me...

[laplandsix]

Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.

They suggested that I simply attach the .tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected .zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.

I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.

And WHERE do they have to inform you?

[Opportunist]

Somewhere at the bottom of the EULA that nobody can read? Encrypted in a billion lines of legalese that makes your eyes water and is essentially unreadable to the normal human being?

I'm not even concerned about the various loopholes and excemptions that this bill will most likely have (I have to admit, I did not read it. Nor is it worth the time reading it 'til it's passed for the simple reason that if it COULD present a benefit against spyware in software it WILL be changed). Even without loopholes it's pointless as long as the customer is not informed in a separate EULA-like info field, in laymen's terms, what is going to happen to his PC!

Re:And WHERE do they have to inform you?

Where I work, when we were breached, we paper mailed all the inactive (terminated, retired, etc) and emailed the actives at their work email (no yahoo, gmail, etc). It wouldn't be in a EULA, it would be a separate mailing. The California law is the current one that offers the strongest & explicit language about how long they have to contact you and how it's done. Also, a newspaper ad or tv ad has been used before as well when millions are impacted.

Re:why the hell? natural cynicism!

[ObsessiveMathsFreak]

Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...

You mean there are people out there that actually trust, private companies?!!

Private companies are the most untrustworthy entities on planet earth. They exist for one reason and one reason only, making money by whatever means necessary. If your "trust" in them stands in the way, they'll gladly walk all over it. Nay, eagerly. At least Mob bosses and pimps have some kind of reputation to keep together. Private companies have no such scruples.

Government Databases: BAD

[Plugh]

It's nice that consumers would be notified when our ostensibly private data has been spilled by businesses.
But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.

Now, given that:

• Private businesses have a huge motive to avoid losing data -- when they do, customers are free to go elsewhere (and we do!)
• You're not free to "go elsewhere" when your Government loses your data
• Governments are likely to have way more sensitive and intrusive data than private businesses
• You typically know exactly what info, say, the credit card company has about you. You typically have no idea what info the government has about you.
• No database is 100% secure, no data is 100% safe -- especially not from humans with administrative access and plenty of reasons to leak the data
• Which do you trust to get IT right: a make-or-break project for a company, or Yet Another Government Project?

With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!

Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier has to say on that).

Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State.

Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
http://freestateblogs.net/node/306

Re:Government Databases: BAD

Actually I heard Montana was refusing to go along also? However I guess if history is any indication NH will get more publicity for whatever she does.