Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Data Accountability and Trust Act (DATA)

Posted by ryuzaki0 on from the not-a-terrible-idea-for-once dept.

An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."

9 of 170 comments (clear)

  1. Existing medical laws by PIPBoy3000 · · Score: 2, Interesting

    At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.

    What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.

    Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

    What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.

  2. Re:Long Overdue by cayenne8 · · Score: 2, Interesting
    I think a MUCH better law, would be to legislate that one's personal data belongs to THEM, and that any company has to ask permission to house such, and MUST request permission to sell personal data or offer it for sale at all.

    If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  3. Re:Long Overdue by amliebsch · · Score: 3, Interesting
    The same law that prevents me from spying on my neighbor, and collecting information about him

    But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?

    --
    If you don't know where you are going, you will wind up somewhere else.
  4. Re:The gov by bubbasatan · · Score: 2, Interesting

    Apparently, there was a recent security breach relating to a computer housing data from one of the retirement programs in the state of Georgia. Data was stolen, including names, SSNs, banking info, etc, and the state sent a form letter with applications for retrieving credit scores. Although this isn't quite the same as what you are saying, it is a breach that occurred on the government's watch. Do government agencies have the same notification duties as companies under this new legislation? Who holds government accountable when their data security is inadequate and/or fails?

    --
    Windows is going the way of phlogiston...
  5. Secure Transactions by Doc+Ruby · · Score: 2, Interesting

    I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.

    --

    --
    make install -not war

  6. Re:Unconstitutional and Unnecessary by dada21 · · Score: 2, Interesting

    it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.

    I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.

    Most of the acronyms you listed have their basis in previous regulations that failed, or previous favoritism ("cronyism") that created a maze that prevented competition from entering the market that you say failed. I have no hope in new laws fixing any problems at all, they'll just make things worse so the door is opened for more laws in the future.

  7. Re:So how much is this going to cost? by Anonymous+Brave+Guy · · Score: 2, Interesting
    ChoicePoint

    They created an entire new division that ONLY deals with privacy and security issues, have institued a number of new policies, ALL employess now go through extensive background checks (causing my team to have to turn down a couple of otherwise good applicants due to irregularities that they couldn't explain) and a $10 million fine at the end of last year.

    Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  8. Re:Long Overdue by tezza · · Score: 2, Interesting
    You said: I think a MUCH better law, would be to legislate that one's personal data belongs to THEM,

    Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.

    Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.

    If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?

    e.g.:
    Eye Colour
    Retina Pattern
    A fingerprint
    A fingerprint and the finger it comes from
    Your first name
    Your full name

    You can bet your last pence that Direct Marketers would start the scope creep to etch away at what would be considered Personal Data, and you will end up with those fuckwits STILL protected by law and still unaccountable.

    --
    [% slash_sig_val.text %]
  9. Bill would be unconstitutional by TonyXL · · Score: 2, Interesting

    Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.

    The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.