The Data Accountability and Trust Act

An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."

Long Overdue

[TripMaster+Monkey]

It's about time a law like this was enacted.

On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.

Re:So how much is this going to cost?

[Theatetus]

You work for ChoicePoint or something?

Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.

Exemption...

[Olmy's+Jart]

But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.

Re:Exemption...

[amliebsch]

There's an exemption if they encrypt their data - even if the encryption is lame or broken.

It doesn't say that! Stop making stuff up.

The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.

Re:So how much is this going to cost?

[Anonymous+Brave+Guy]

The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.

If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.

At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.

DATA Breach Timescape

[digitaldc]

PICARD: What's the problem, Mister Data?

Data turns to them.

DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.

They react. Data indicates the phishing email on the screen. They walk up to it...

DATA: It is the flashpoint of a privacy invasion. And it is expanding.

PICARD: Expanding... I thought phishing scams were suspended on this ship?

DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.

TROI:Why didn't we notice it before?

DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.

PICARD: Is there any way we can stop it?

DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.

Picard stares at the screen for a long moment...becoming very thoughtful...

PICARD: Astonishing... to see our identities stolen like this...

Coming soon to a workstation near you

[PrvtBurrito]

Dear PrvtBurrito,

We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:

[Click here to update your account]

If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.

Thank you for using PayPal (or whatever service is being spoofed)!