Slashdot Mirror
The Data Accountability and Trust Act (DATA)
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
It's about time a law like this was enacted.
On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.
____
~ |rip/\/\aster /\/\onkey
I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.
How the hell would you know if this law was ever broken if they don't tell anyone?
Question everything
You work for ChoicePoint or something?
Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.
All's true that is mistrusted
But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.
The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.
If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.
At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I'm curious as to what will be defined as "personal data." Email address? What about MRU lists or cookies? Also what's the definition of "notify." Does it count as notification if the company puts a one line blurb at the bottom of it's website? This legislation may be utilitarian in spirit, but I fear the letter of the law will change little. Business as usual...
At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.
What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.
Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.
What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
[Fuck Beta]
o0t!
Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.
.tab files to an email and email them on over. I balked a that suggestion. We've got full names, DOB, SSN, address, tax information, bank account numbers, the WORKS! They wanted me to transmit the files in the clear to their email where who knows how long this info will sit in their outlook inbox, and how MANY people will see it. I made some rather more secure suggestions, but in the end we settled on password protected .zip files hosted on a password protected webpage. Pretty feeble security if you ask me, but WORLDS better than what they wanted.
They suggested that I simply attach the
I guess the point I'm trying to make is most companies don't give a SHIT about your data. They'll play along and act like they do, but implementing proper internal security practices is HARD and EXPENSIVE. This law is a step in the right direction, but it simply isn't enough.
Free The Lapland Six!!!
http://www.whatiwore.com
What I wore, now with 100% more pool project!
I don't think it counts as recursive, because the "Data" that is in the name of the act is NOT referring to the acronym "DATA," it's referring to the actual word "Data." To be recursive, an acronym must be self-referential, but this one is not.
If you don't know where you are going, you will wind up somewhere else.
PICARD: What's the problem, Mister Data?
Data turns to them.
DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.
They react. Data indicates the phishing email on the screen. They walk up to it...
DATA: It is the flashpoint of a privacy invasion. And it is expanding.
PICARD: Expanding... I thought phishing scams were suspended on this ship?
DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.
TROI:Why didn't we notice it before?
DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.
PICARD: Is there any way we can stop it?
DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.
Picard stares at the screen for a long moment...becoming very thoughtful...
PICARD: Astonishing... to see our identities stolen like this...
He who knows best knows how little he knows. - Thomas Jefferson
Dear PrvtBurrito,
We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:
[Click here to update your account]
If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
Thank you for using PayPal (or whatever service is being spoofed)!
Laboratree - Scientific collaboration based on OpenSocial.
Is it just me, or do these legislators spend more time thinking up clever titles that spell out words than on the actual content of the bills?
Apparently, there was a recent security breach relating to a computer housing data from one of the retirement programs in the state of Georgia. Data was stolen, including names, SSNs, banking info, etc, and the state sent a form letter with applications for retrieving credit scores. Although this isn't quite the same as what you are saying, it is a breach that occurred on the government's watch. Do government agencies have the same notification duties as companies under this new legislation? Who holds government accountable when their data security is inadequate and/or fails?
Windows is going the way of phlogiston...
I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.
--
make install -not war
That's nice in theory, but one of the reasons we have government regulation is to help mitigate the asymmetry of power that prevents individuals from ever negotiating contract terms at all with companies that hold their data, much less terms about privacy. This legislation flows from the same river as the FCRA, FDCPA, and FACTA -- it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.
I too have felt the cold finger of injustice.
it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.
I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.
Most of the acronyms you listed have their basis in previous regulations that failed, or previous favoritism ("cronyism") that created a maze that prevented competition from entering the market that you say failed. I have no hope in new laws fixing any problems at all, they'll just make things worse so the door is opened for more laws in the future.
Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...
You mean there are people out there that actually trust, private companies?!!
Private companies are the most untrustworthy entities on planet earth. They exist for one reason and one reason only, making money by whatever means necessary. If your "trust" in them stands in the way, they'll gladly walk all over it. Nay, eagerly. At least Mob bosses and pimps have some kind of reputation to keep together. Private companies have no such scruples.
May the Maths Be with you!
Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.
The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.
But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.
Now, given that:
With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!
Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier has to say on that).
Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State.
Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
http://freestateblogs.net/node/306
Part of the Second American Revolution!