Slashdot Mirror
The Data Accountability and Trust Act (DATA)
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
It's about time a law like this was enacted.
On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.
____
~ |rip/\/\aster /\/\onkey
It's certainly about time they did something. But, I'm sure loopholes will easily be found as soon as the campaign contributions start rolling in. Also, I assume everyone noticed the acronymn. It reminds me of Gnus Not Unix.
Similar to the upcoming US election results
Does this law apply if my privacy is violated due to a breach of law done by a government agency?
Oh, wait...
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.
So, does this mean Equifax is required by law to tell me someone else is using my social security number?
How the hell would you know if this law was ever broken if they don't tell anyone?
Question everything
You work for ChoicePoint or something?
Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.
All's true that is mistrusted
Why the god damn FTC? They are a worthless bunch idiots, not that congress isn't full of those.
-----
One is born into aristocracy, but mediocrity can only be achieved through hard work.
Well, what would you prefer? That we rely on companies to admit that they screwed up?
Such a law won't pass. It't too anti-business.
Now the government is using recursive acronyms? I thought that the FSF had a patent on that...
But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.
The nice thing about a law like this is not that we'll be informed, but rather that companies will be more cautious with the data, knowing that they'll HAVE to inform us if they screw up.
Less laptops flying coach with 20,000 credit card numbers in an excel spreadsheet on it. (My next door neighbor got a nice paper-mail note from an company that let a laptop get snatched just last week.)
The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.
If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.
At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Actually, shouldn't that recurse in the opposite direction?
DATA=DATA Accountability and Trust Act=DATA Accountability and Trust Act Accountability and Trust Act= DATA Accountability and Trust Act Accountability and Trust Act Accountability and Trust Act etc.
Boys from the City. Not yet caught by the Whirlwind of Progress. Feed soda pop to the thirsty pigs.
Let us count the ways:
1) amendments
2) exceptions (gov't, big business, telcos)
3) loopholes
4) unclear/incomplete definitions
5) enforcement (is the FCC the best choice?)
6) insert your scenario here
It sounds good, but the devil (as usual) is in the details.
uR iGn0ranc3, Their Power
We've had all these reports in congress about how unprepared the nation is for cyberwar. This seems like one pretty good market based approach to increasing our preparedness (though others may be necessary). If companies have greater risk exposure for insecure data, they have a greater fiduciary responsibility to secure it. A simple solution that Adam Smith could be proud of.
Stop-Prism.org: Opt Out of Surveillance
I'm curious as to what will be defined as "personal data." Email address? What about MRU lists or cookies? Also what's the definition of "notify." Does it count as notification if the company puts a one line blurb at the bottom of it's website? This legislation may be utilitarian in spirit, but I fear the letter of the law will change little. Business as usual...
Did they actually come up with a recursive acronym? is there a geek advising them? there's hope!!! WHEE!!!
DATA = DATA is not an Emulator!
Nick
At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.
What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.
Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.
What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
Tax payers pay for a lot more than that...
(speaking as a non-american looking at all those acts and bills)
CAN SPAM : Controlling the Assault of Non-Solicited Pornography And Marketing
... and I bet you have a lot more ...
DATA : Data Accountability and Trust Act
USA-PATRIOT : Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Somebody really gets paid by your taxes to come up with ridiculously long names for acts and bills just so the acronym kinda-almost says something? I get a laugh everytime I hear about a new bill or act coming from the states...
After 3 days without programming, life becomes meaningless
- The Tao of Programming
Now in addition to PIN Numbers and ATM Machines, we'll have the DATA Act.
[Fuck Beta]
o0t!
Believe me, if they are required to publicly disclose all breaches, the impact on their reputation and the cost of publishing the disclosure will be punishment enough.
What this law really needs (it may be included, I haven't checked) is a clause that slaps them hard if they choose NOT to disclose.
Delay is preferable to error. (Thomas Jefferson)
Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.
.tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected .zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.
They suggested that I simply attach the
I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.
Free The Lapland Six!!!
http://www.whatiwore.com
What I wore, now with 100% more pool project!
I don't think it counts as recursive, because the "Data" that is in the name of the act is NOT referring to the acronym "DATA," it's referring to the actual word "Data." To be recursive, an acronym must be self-referential, but this one is not.
If you don't know where you are going, you will wind up somewhere else.
Any way to mod the article summary down as redundant? There's 4 sentences, and 3 of them say the exact same thing.
PICARD: What's the problem, Mister Data?
Data turns to them.
DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.
They react. Data indicates the phishing email on the screen. They walk up to it...
DATA: It is the flashpoint of a privacy invasion. And it is expanding.
PICARD: Expanding... I thought phishing scams were suspended on this ship?
DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.
TROI:Why didn't we notice it before?
DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.
PICARD: Is there any way we can stop it?
DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.
Picard stares at the screen for a long moment...becoming very thoughtful...
PICARD: Astonishing... to see our identities stolen like this...
He who knows best knows how little he knows. - Thomas Jefferson
A smaller business would have fewer customers and therefore not have to spend as much. Any business where sending a form letter to customers is a prohibitively high cost is probably sick and likely to go under anyway.
Given that it can take up weeks or months to clear up your credit history and potentially costs thousands of dollars if someone uses your information to open fraudulent accounts, I don't think it's unreasonable to ask companies to send a letter when they fail in their legal obligation to protect their customers personal information.
Dear PrvtBurrito,
We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:
[Click here to update your account]
If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
Thank you for using PayPal (or whatever service is being spoofed)!
Laboratree - Scientific collaboration based on OpenSocial.
But only customers? What about all these mega-companies that banks hire to do their clerical work? Technically, we're not their customers, so they'll obviously try to claim that.
Sorry, Mario, but our legal solution is in another castle!
As a cynical American, I wonder what sort of riders are tacked onto this bill. In an administration where national ID card legislation is tacked onto a military spending bill, I wouldn't be surprised if we're signing ourselves into slavery here...
I am scientifically inaccurate.
They can't pass that, the acronym will result in infinite recursion and the government will crash!
This is a step in the right direction, but I'd like to see them held more accountable through stricter penalties. How about fines to fund those audits (make them pay to get audited? I like the irony), or better yet, refund people for all they're going to spend in both time and money when their identity is stolen?
Is it just me, or do these legislators spend more time thinking up clever titles that spell out words than on the actual content of the bills?
... What's tacked onto it? (No, I didn't RTFA.) This sounds like one of those seemingly innocuous bills that the **AA might push through Congress to once again "promote creativity," a.k.a. give consumers the chokehold.
Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
corporate regulation is understandable in light of dicks like Enron, but it's very very expensive for businesses. Boo-hyphen-hoo, you may say. However, if it costs more for a company to operate, they'll charge more. It'll cost you more as a consumer.
It could be argued that Sarbanes Oxley and the raft of other regulation is overkill. You might argue that companies should have some damn sense of what's right and what isn't, without needing to be regulated down to the tiniest level.
Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...
The government does get things right from time to time, and this is one of them.
Right now, a disgruntled employee of a banking, credit or other corporation that has possession of your social security number, can sell your info on the street and the company has no liability or mandate forcing them to tell you of the breach once they become aware of it (which they will when 1000+ customers suddenly transfer all their money to an account in Poland). The onus is currently on the customer to notice the problem, report it, and then argue and plead for them to fix it (with the customer thinking this is an isolated incident when it is not). With this law, the customer will no longer have to argue the case, as the company will be forced to reveal the breach and make it right.
If you want to gripe about paying too many taxes, write your senator that you're sick of paying for $500 hammers and $10000 toilet seats. But this law is a keeper and about 30 years late in coming.
Encrypting your data in bulk is not a bad security measure. However, if the breach does not involve the mass theft of encrypted data files, but rather a break in normal access methods, the encryption does not provide any protection at all.
You still have to deal with "trusted user" abuse as well as protecting the API that allow normal decrypted access to the data.
Imagine being the systems/database admin who has to report a data loss to management.
Management will have a very hard time understanding that data could be lost even though it was encrypted. Will they understand that they will be required to report this loss despite the encryption security measure?
This is similar to a firewall providing security, even though most of the ports are wide open.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.
--
make install -not war
Sorry, but no, I don't believe that.
There have been several cases in the past, mentioned here and elsewhere, of major leaks of personal data. Can you show me a single example where a leaker has compensated the affected individuals or taken significant steps to prevent a recurrence? Has any such offender suffered any significant damage to their bottom line? Not that I know of, certainly.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Somewhere at the bottom of the EULA that nobody can read? Encrypted in a billion lines of legalese that makes your eyes water and is essentially unreadable to the normal human being?
I'm not even concerned about the various loopholes and excemptions that this bill will most likely have (I have to admit, I did not read it. Nor is it worth the time reading it 'til it's passed for the simple reason that if it COULD present a benefit against spyware in software it WILL be changed). Even without loopholes it's pointless as long as the customer is not informed in a separate EULA-like info field, in laymen's terms, what is going to happen to his PC!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
There are companies that have reported that the standards are so lax that you could rip up a credit card application, tape it back together, mail it in and still get a credit card.
Specifically, companies like this one.
SharkJumper
I think you misunderstand me. Consider your example:
In this case, 50,000 lives have been affected, possibly rather seriously, by the negligence of some or all of those 50 people. If serious damage has been done to all 50,000 then I am entirely in favour of that company of 50 people ceasing to exist.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What if your privacy is breached by a third party?
A credit card validation service?
An outsourcing campany?
The consumer is not the "customer", especially in the second case.
The US Congress has no mandate in the Constitution offering them any power over consumer privacy or information. The Interstate Commerce Clause was written to give the Federal government power to regulate the states to prevent them from taxing, tariffing or embarging interstate commerce: it was not meant to regulate commerce in any other way.
This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement. If the company won't do business with you, don't buy from them -- if you want a cheap price, you might be willing to forgo this contract feature.
All my customers have in my contract agreement a stipulation that we both will notify the other in the event of identity or security breach. I don't buy anything from anyone without making sure I am protected -- and basic tort and contract law protects me in this case.
Of course this law has nothing to do with protecting consumers but with increasing Congress' control over individuals and businesses and offering a new layer of deterrence for the average person to go into business. We could replace much of the FTC with more realistic tort regulations rather than creating new laws where none are needed.
In my answer, the lawyers would win in the short run but standard contract agreements would put them on the bankburner. In Congress' solution, the lawyers win all around.
We can safely assume that most of these companies adhere to the minimum computer security system standards. The minimum standards are about as good as not having any security whatsoever. What companies can get away with in terms of liability in identity theft is analogous to getting a girl pregnant, then not being ordered to pay child support because you wore a condom (albeit an expired one). Verily, all this act would do is let a customer know they are the victim of identity theft, with no effective method of recourse. Sure, pull all your business/assets from the company, but some guy already has your information. What is needed is a higher standard of computer security within companies which hold sensitive user information, rather than the FTC auditing a company after the customers are screwed-over. Just some more bureaucratic red tape and more tax dollars spent on the appearance of security... err, I mean, keeping the people safe.
"Bad times have a scientific value. These are occasions a good learner would not miss." ~ Ralph Waldo Emerson
With this the government could attempt to "steal" personal information from private companies. If they're caught, they can say they were "investigating" violations of the DATA Act. If they're not caught, they get all the private info they want.
lexbaby
"Be Brave, Be Loyal, Be True." -- Hawkeye Pierce
. . . also known as the "Corporate Eye-Tee Security Empire Builder Full Employment Act of 2006." They'll milk this for departmental budget and fascist network powers just as with SOX, HIPPA, and GLB that came before.
I too have felt the cold finger of injustice.
So wait, the government does care about our privacy? Hopefully the government feels as strongly about their own data as they do about the data of the companies under them.
Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Would they inform people when the government breaches their security?
My karma makes buddha cry.
This sounds woefully ambiguous. I think it would be better stated "any customers directly". We want to help consumers, but we also don't want to cause great harm to businesses who would have to hunt down all records and secondary relationships to customers who weren't directly affected.
i just put in
If a small company, perhaps 50 people, has a database of even just 50,000 credit card numbers stolen, the fines you suggest could easily ruin the company. That could lead to at least 50 people who are now unemployed, and potentially many more as the effect ripples through the economy.
Its unlikely a buisiness of 50 would have 50,000 credit card numbers. Its also probably not even necessary for them to keep the numbers once they receive their money. Also, the lost of 50 people likely won't have much, if any, effect on the local economy (unless of course there's only 60 people in the town).
obviously you have not filed yet, or you would have noted that:
U.S. Individual Tax Return 2005, Form 1040, Adjusted Gross Income Section, Line 30a clearly states:
"Identity Theft Related Expense, Attach Form 3823"
Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.
The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.
But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.
Now, given that:
With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!
Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier has to say on that).
Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State.
Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
http://freestateblogs.net/node/306
Part of the Second American Revolution!
Clearly, the terrorists have kidnapped the real representatives and replaced them with pod people ! There's no other explanation for this.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Does this only apply to financial data (cc or ss #) ? Or to any data?
let's see:
In California we have a law that requires notification of data privacy breaches. Remember Choicepoint being in the news? That was CA's 'fault.'
In California the law allows people to put a Credit Freeze on their account. Far stronger than a 'fraud alert,' this requires the person to temporarily lift the freeze in order to add new credit. Makes life most difficult for identity thieves. Also makes it harder for new companies (no pre-existing relationship) to offer credit, so the person misses out on those hundreds of "You've Been Approved!" junkmails.
Funny, this new law guts California's law. All these protections will only exist if and after Identity Theft has already happened! Instead of spending, say 15 minutes a month temporarily removing the freeze for business purposes, you'll get to have a freeze during your 200 hours of work trying to repair your ID theft damaged credit. Not just any 200 hours, its 200 hours of talking with bureaucrats and writing real paper letters and constantly scanning to see what your thief has just applied for. And you never truely clean up your record- even if the big 3 agencies have fraud alerts, each store affected will have their own database of how bad you are.
And this 200 hours of brain-breakingly stressful work will all be because you couldn't just freeze your account in the first place. But at least you'll have all those fine offers of credit to read while waiting on hold.
So its funny how the companies that yelled and screamed about California's law- although they comply with it- love this proposed federal law. They ought to love it- they designed it, and are getting the best bespoke law they can buy.
I agree with your thinking in that there should be some kind of penalty based on the number of affected users. I would go one step further and suggest that there should ALSO be a penalty paid to EACH of those customers. I should not have to wait to find out if my identity is/was compromised. Each breach should entitle each customer to a cash payment of, say, $1000.00.
Insurance companies will have an opportunity to provide coverage, companies will have an incentive to obtain coverage, and the insurance companies will have an incentive to provide audits, tools, etc. to help lessen the need for the policies' benefits being paid.
This could appear as reduced rates for following certain best practices. I have had car insurance policies that had a discount for certain anti-theft devices being installed in my car. My homeowner's policy had a discount for cetain smoke detectors.
If a company doesn't want to deal with the hassle of dealing with an insurance company, they should have the option of self-insuring and posting a bond to cover potential losses.
Further, I would like to have a searchable, on-line resource which provided information on which companies had had breaches, the date of the breach, the number of customers affected, and the amount of the fines, penalties. For additional motivation, include who was the president, CEO, CTO, CIO, (and EIEIO :^) at the time. Hmm, add in who was on the board of directors, too.
That way, the dumping of one company and the creation of another with the same actors could not be used to hide from the consequences of their [in]actions.
(Any suggestions on other info to include?)
Ultimately, this might encourage companies to use data encryption as a matter of course - to the point that it becomes the de-facto norm of how information is stored on a computer. Maybe, with time, to the point where Joe Sixpack's home PC or PDA is secure by default. Given some of the articles and posts I've seen on /., I would like to think that, in some small way, this might help protect citizens from governmental intrusions. Not just in the USA, but set an example that could be followed in other countries around the world.
P.S. What would you do differently if these proposals were in effect and your SOHO computer were compromised? I'm pressed for time right now, but just thinking about this from THAT perspective is already making me re-think how I do things.
...if a breach does occur, a company must notify any customers concerned...
...
A little alarm bell went off in my head when I read that. Put on your tinfoil hat and come with me down business plan alley
1. Start a business; oh, online marketing or something. Doesn't matter, just a shell.
2. Collect "customer" data by whatever means necessary. Email addresses of course, anything else is a bonus.
3. Protect the data as best you can, but at some point, lose ALL the data. I didn't RTWA (whole act) so I don't know if suspected breaches count, but let's say they do. Even better if you don't even have to actually lose any data, just suspect it. Otherwise, you would actually have to cook up some "security breach" or something.
4. Here's the good part - you now have hopefully MILLIONS of customers that you MUST contact BY LAW to alert them to a possible security breach. Sounds like a great opportunity to let your customers know about new improved security products made by "affiliated" companies - they paid me some $$$ and are now fully affiliated.
5. Sell additional ad space on the emails for related items. The emails will have all sorts of official government-sactioned stuff to GUARANTEE that they will be opened and read.
6. Profit !!
7. Try to improve security.
8. Damn those evil haxxorz! They broke in again! Now we have to "notify" all the customers again! Damn!
9. Profit some more...
The DATA protection sounds like a good idea, but I hope there is some protection against this type of scenario. If I can come up with the half-baked idea above, I imagine a bunch of scummy spammers are already frothing at the mouth.
Did any of this happen in California (where a similar law has been operating for 3 years) ?
--
zomg!!1! Custom Ponies!!