Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Proposes Data Breach Disclosure Bill

Posted by ryuzaki0 on from the so-you-know-we-know-you'll-know-you-know dept.

segphault writes "A new data breach disclosure bill proposed by Senator Sensenbrenner (the same politician that sponsored the infamous Real ID Act) requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers. The punishments for failing to disclose information about data breaches to federal law enforcement agents under this new bill include jail time and massive fines. Although this bill requires disclosure to the government, it does not require companies to inform the victims of data theft. Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public, even if the companies are required to do so by state laws. This law could potentially allow companies to circumvent and undermine state laws designed to protect consumers from identity theft."

101 comments

  1. Authoritarianism by Morosoph · · Score: 3
    I was thinking "isn't this at odds with the authorities' view on white-hat hackers, and those who disclose flaws in security generally", but then I realised that the authorities wish to create and enforce law: that it "order"; individuals who act in such a way as to make such laws less necessary count as competition in the power struggle.

    Consider this Ambulance Driver.

    --
    Wikileaks, no DNS
    1. Re:Authoritarianism by arminw · · Score: 2, Interesting

      ....the authorities wish to create and enforce law.....

      whereby THEY can know when you've been screwed by a database break-in, but are may forbid the database holder from telling YOU that this happened, even if there are state laws that mandate the database holder tell their clients when such a data theft has occurred.

      --
      All theory is gray
    2. Re:Authoritarianism by iamthatjoseph123 · · Score: 0, Offtopic

      see http://007google.com/Authoritarianism.aspx

  2. fyi about ytmnd by Anonymous Coward · · Score: 0

    max from ytmnd takes "donation" money and funds trips to europe with it.. wonder why he asks for so much donation money?

  3. Government is as Government does by omeomi · · Score: 2, Interesting

    What if those doing the infiltrating are NSA agents?

    --
    ZuluPad, the wiki notepad on crack
    1. Re:Government is as Government does by Anonymous Coward · · Score: 0

      Then you ignore the law and use the state law enforcement team to deal with it.
      The state law enforecement will understand the situation.

    2. Re:Government is as Government does by sbrown123 · · Score: 1

      Oh, they are free game. Ofcourse, you will be marked a terrorist and sent on a secret CIA plane to some place in Europe to be secretly tortured if caught. You can get this also by paying down your credit cards too. Zie Heil King Chimpy.

    3. Re:Government is as Government does by bckrispi · · Score: 1
      Zie Heil King Chimpy.

      Don't you mean "Sieg heil"?

      --
      Xenon, where's my money? -Borno
    4. Re:Government is as Government does by epee1221 · · Score: 1

      What if those doing the infiltrating are NSA agents?
      From the summary: "Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public...."
      They just put a gag order on the company whose database the NSA breached.

      --
      "The use-mention distinction" is not "enforced here."
    5. Re:Government is as Government does by Reziac · · Score: 2, Insightful

      That's a scary thought... and altogether too likely, given the current political climate. After all, who would be more likely to both create a data breach (in the course of an "investigation") AND not want the breached party to tell average citizens about it??

      One begins to wonder just exactly who actually authored this bill...

      Now look what you've done -- now I've got to get my tinfoil hat refitted!!

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    6. Re:Government is as Government does by ksheff · · Score: 2, Insightful

      They'll get black marks on their next performance review because the company was able to determine that there was a security breach.

      --
      the good ground has been paved over by suicidal maniacs
    7. Re:Government is as Government does by russint · · Score: 1
      What if those doing the infiltrating are NSA agents?


      From the summary: "Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public, even if the companies are required to do so by state laws."
      --
      ^^
    8. Re:Government is as Government does by Anonymous Coward · · Score: 0

      King Chimpy doesn't spell good eaither, Zie Heil King Chimpy

    9. Re:Government is as Government does by raides · · Score: 1

      exactly the problem. Not even NSA trackable field agents but retired KGB agents ? perhaps.

  4. Student hacks by Oriumpor · · Score: 3, Interesting

    Student Information Systems can easily contain over 10,000 student records. So, potentially, the kid who changes his grades could be tried by the fed in the future.

    1. Re:Student hacks by EvanED · · Score: 1

      Reread the article. Nothing has changed, unless the article left something out, from the end of who breaks in. The kid who changes his grades would be tried under the same laws as he would be today. (And, I would argue, rightfully so if he's in college, which he is if he's hacking a system with 10K students.)

      The changes in the laws effect the owner of the system which was hacked, not whoever hacked it.

    2. Re:Student hacks by Oriumpor · · Score: 1

      I work in K12, we manage 2 SIS databases that contain between 16k and 40k student records. We aren't the norm, but there are much larger K12 databases out there.

  5. Great...oh wait... by MarkusQ · · Score: 2, Insightful

    When I read this part of the summary:

    The punishments for failing to disclose information about data breaches to federal law enforcement agents under this new bill include jail time and massive fines.

    My first thought was, it's about damn time.

    Then I realized that they probably weren't talking about the sort of "data breaches to federal law enforcement agents" I was thinking they were.

    --MarkusQ

    P.S. If you missed my insightful post on the "poll says people want the NSA to spy on them" story there's still time to check it out.

  6. Federal vs State by dtfinch · · Score: 2, Interesting

    Bills in Congress usually win a few more votes if they add a clause giving state laws precedence, or so I've heard. That might make a difference with a bill like this one.

    1. Re:Federal vs State by WebSorcerer · · Score: 1
      Bruce Schneier has addressed this:

      "Identity-Theft Disclosure Laws"
      (about half way down the page)

  7. Promoted to Senator for Spewing Silly Ideas? by Lacrocivious+Acropho · · Score: 3, Informative

    Um, House Judiciary Committee Chairman James Sensenbrenner is not actually a senator, but a congressman. http://www.house.gov/sensenbrenner/

    --
    Twice as crazy as I would be if I was half as crazy as I am.
  8. Representative Sensenbrenner by stinerman · · Score: 2, Informative

    Sensenbrenner is a member of the House, not the Senate.

  9. Keeping quiet isn't always bad by jralls · · Score: 2, Interesting

    >This law could potentially allow companies to circumvent and undermine state laws designed to protect consumers
    > from identity theft.

    Yeah. It could also give the FBI time to track down the perps before general knowledge of the crime taints the witness pool. It's a pretty common practice at the local level for news organizations to keep quiet about evidence for the same reason.

    1. Re:Keeping quiet isn't always bad by ZachPruckowski · · Score: 2, Insightful

      Yes, but it also gives the perps more time to use the stolen stuff. I mean, if the fraud is at least reported to credit agencies, they can have a head's up. I mean, it's a lot better for the victim to stop this before money gets spent. And I'm sure the CC companies feel the same way.

    2. Re:Keeping quiet isn't always bad by iminplaya · · Score: 1

      I mean, it's a lot better for the victim to stop this before money gets spent. And I'm sure the CC companies feel the same way.

      The credit card companies don't care either way. They get paid no matter what, through higher rates and tax write offs. If they did care. credit card fraud would actually be difficult.

      --
      What?
  10. Um, no.... by Internet+Ronin · · Score: 5, Insightful

    Look, who gives a flying fuck if the government knows? I certainly don't. In fact, I'd rather they didn't.

    This government is getting way to nosy, IMHO. I don't care what the reason is, I'm sick and fucking tired of being saved from myself. Let me smoke my cigarette in my bar, and masturbate the Islamic terrorist porno, leave me ALONE.

    Hey old white bastards, how about a law that requires me to be informed when my companies data has been hacked? Or better yet, why don't you worry about things like maintaining roads. Why is it that the NSA knows what sort of hemorrhoid creme I prefer, and when my girlfriend's periods are, but I can't drive down I-20 for more than 3 hours without needing a new wheel alignment for my car?

    How about a fucking law that says I get to be informed every single time my personal information is accessed by the government? Every time I turn on the news I seem to be reading about how the Department of Homeland Security is making sure I'm following the latest terror alerts and that I'm not cooperating with al-Qaida via Xbox Live. I mean, Jesus, what the hell.

    Even better, the slashdot summary makes it sound like they can circumvent state legislation. Um, my constitutional skills may be a little rusty, but I'm pretty sure that's what the 10th Amendment was all about.

    While we're on the subject, what about the 9th Amendment? I'm pretty sure that that one said that we have rights that may not be explicitly mentioned in the Bill of Rights, and thus, we reserve those rights. It seems like America is serving up it's rights like a Shoney's smorgasbord. It's like 8.99 all-you-can-give-away at the Patriot Act Red Lobster. Jesus.

    Douglas Adams once said (forgive my horrible paraphrasing, as I don't have my copy of Salmon of Doubt with me) that Australians often say "We're the last place left mate," and it made him nervous because of the confidence with which he said it. Makes me wanna see if they're right, cuz quite frankly I'm sick of this place. It's not just the politicians, it's the people. How can my vote count if I realize for every vote I cast with some knowledge of the issues, there's fifty people are are being exploited by like-minded zealots whose sole purpose is to acquire power, and seek to retain that power.

    Madison, in Federalist 9 & 10, argued that mutual self-intrest will keep the 'factions' in line, draw them towards a central, middle ground, and thus make decisions that are best for everyone. The problem seems to be that no all 'factions' are allowed into the game. At this point, I've got to request that I be allowed to collect my chips and move to another table, cuz I think I'm getting screwed, and all I see is more Dick coming. ~a

    1. Re:Um, no.... by Reziac · · Score: 1

      "How about a fucking law that says I get to be informed every single time my personal information is accessed by the government?"

      Hear bloody freakin' hear!! if we had such a law, it just might frighten some sense into the average citizen, and get them to realise that in Soviet Russia, they were no more spied upon than we are -- by our own respective governments.

      Someone once said that the true definition of totalitarianism is that your every move is tracked in SOME way, however trivial or seemingly innocuous -- your credit card use, your check writing habits, your travel patterns (often easy to track via credit card trails), your discount card purchases, etc, etc, all sum up to a profile that means you have NO freedom from the gov't, because it can ALWAYS find you. If not by its own efforts, then by co-opting the tracking efforts of private entities.

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    2. Re:Um, no.... by farble1670 · · Score: 1, Insightful

      Let me smoke my cigarette in my bar

      don't flatter yourself. laws that disallow indoor smoking have nothing to do with saving you from yourself. is has to do with saving other people from you. it's about second hand smoke.

    3. Re:Um, no.... by StanVassilevTroll · · Score: 0, Funny

      hey fuckface, if you don't want my second hand smoke, go to a non-smoking establishment. If you don't like gay niggers, don't move to their neighborhood and complain about it. Get the fuck off my hershey highway and sit your swollen ass somewhere where you feel comfortable. Majority prefference should not become law. Most people don't like nigger cock up their ass, but that doesn't mean they have the right to make it illegal. Go fuck yourself, you nerd loser piece of shit. Better yet, post your address here, so I can come over and beat the fuck out of your nerd ass. And your mom's ass, whose basement you're destined to live out your days in. Fuck you, you stupid piece of shit. People like you should be shot point-blank in the head. Care to post your whereabouts so I can put you out of your misery? You're a fucking waste of space. Die bitch.

      --
      I like to take it in the ass
    4. Re:Um, no.... by Yartrebo · · Score: 1

      Why don't more people get this? And the pretense it's done under is so utterly stupid too. Terrorism is down there with lightning strikes as an unlikely way to die, but people are so easily cowed into accepting anything with that bogeyman.

    5. Re:Um, no.... by ThreeE · · Score: 0

      Exactly. The sense of entitlement in the GP is pathetic.

      "It's my right to inflict cancer on yours or anyone else's lungs."

      or

      "Fix my highways!"

      Like it is somehow the government's responsibility to keep your friggin' wheels aligned.

    6. Re:Um, no.... by ThreeE · · Score: 0

      Why do I care if some credit card company is tracking my spending locations or habits? I already assume they are. If I don't want them to be able to, I simply use cash. This just seems to be a lot of whining over nothing. News flash: no one really cares what your travel habits are -- until you blow up a building.

    7. Re:Um, no.... by Reziac · · Score: 1

      Indeed... anything they can't poke with a stick, they're afraid of.

      And any time one of the OTHER sheep might get picked for slaughter, everyone keeps their head down and tries to avoid notice. Nothing pleases the wolf more than not having to work for his dinner.

      Take airline hijackings... It always amazes me that a couple guys with box cutters could intimidate a planeful of grown men with fists, and women with slugger-grade purses (not to mention the deck'em value of a high-heel spike in the temple). -- IMO the only in-air threat that is worth possibly "respecting" is a bomb large enough to do more than knock out a few portholes, and then *only* when equipped with a deadman trigger (ie. if the guy lets go, the bomb automatically detonates). Anything else -- well, half a dozen strapping lads can pile on and take down the perp before they can do any real damage, and given how everything with a decent blade or projectile capacity is nixed at the gate, the worst that can happen is a couple of the strapping lads get superficial cuts. If the gang-tackle happens before the perps get completely set up, even less chance of anyone getting hurt.

      But people in "civilized" countries are so trained to wait for the cops rather than protect themselves on the spot, that they'd rather put their heads down and wait to be slaughtered.

      Personally, I'm not a prey animal. Time to trot out my story about how people behave in live "killer games" again...

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    8. Re:Um, no.... by Pseudonym · · Score: 1
      People like you should be shot point-blank in the head. Care to post your whereabouts so I can put you out of your misery?

      I wholeheartedly recant and apologise for my remarks, Mr Vice President.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  11. Feels great to know the history you're already by Polarism · · Score: 1

    living in, doesn't it?

    I'm going to assume, for my own personal sake, that this is not a unique situation for us, and that others have felt the same during prior portions of history.

    I only hope the damage is reversable without a dramatic loss of life.

    --
    All your base are belong to Google.
    1. Re:Feels great to know the history you're already by Internet+Ronin · · Score: 3, Insightful

      I would assume, given your sig, that you already know this isn't the case. This time in history is unique because of the unprecedented level of communication and communication observation ability of most people. If you wanted to get lost in 1890, you could. You can't get lost today. DNA, fingerprinting, mandatory photo IDs, e-mail, telephones, RF communications, purchasing habits. You can be found in America. Sure, if you disappear into some caves in Afghanistan, no one can find you, but the second you plug into the grid in modern America, you're there to stay. Jefferson is rolling over in his grave.

      If you want to know the truth, I believe it can be saved, but it's going to take people who aren't self-interested. Or at least not wholly self-interested. I hope to take place in our great political machine, and I suspect that unless things change drastically and quickly, I'll commit political suicide within a few hours. I won't be getting my knob slobbed, but the second I start voting down education funding cuz some wacko Alaskan rep has tacked on an 8.2 million dollar rider to subsidize his mining industry, I'll be hosed.

      What happened to the philosopher-rulers that Plato waxed romantic about? That's really where I fear the problem is. The system is too entrenched to be dug out without martyrs. I've happily accepted my future place on the cross, I just hope its not in vain.

    2. Re:Feels great to know the history you're already by Polarism · · Score: 2, Insightful

      Yes, I already know it isn't the case, hence the rather self-depreciating wording I used.

      Not only that, but I was a cog in the machine for a few years, so I know how it works. It really doesn't matter how I try to explain it, nor is it really a big deal of course, but I do have intimate knowledge of the laws and policies that some of these issues are governed by, or at least were governed by at some point in history.

      I've said for many years that I do not vote for the simple reason that the voters have been marginalized completely. Right now voting has nothing to do with the real issues that we face, but rather the ones that extract the largest emotional reaction from the public that will benefit one party over another. The fact that we only have two major political parties is also extremely suicidal to our system of government.

      In order to have a functional "Democracy" as we like to call it, I believe there need to be at least 4 major political parties, and by major I do mean relatively close to a 25% support number.

      I predict we haven't even seen 1% of the abuse potential available to those in power yet, and things are going to get quite interesting during the next 20 years.

      --
      All your base are belong to Google.
    3. Re:Feels great to know the history you're already by albanac · · Score: 1
      If you wanted to get lost in 1890, you could. You can't get lost today. DNA, fingerprinting, mandatory photo IDs, e-mail, telephones, RF communications, purchasing habits. You can be found in America. Sure, if you disappear into some caves in Afghanistan, no one can find you, but the second you plug into the grid in modern America, you're there to stay. Jefferson is rolling over in his grave.

      This raises a quite interesting train of thought about the nature of choices. In order to effectively 'dissappear', even prior to modern photo-IDs and DNA profiles, you usually needed to sacrifice access to civilisation. Using your 1890 metaphor, you had to go further west, or you had to go to small-town America away from the big city, leave your name behind, abandon assets in order to run, and so on.

      What you're describing here is that if you're on the grid, you can be found. That's true, I'd say, unless you have a reasonable understanding of the techniques the finders use. However, being on the grid is a choice. It's a choice to live a lifestyle which involves you in the grid, in modern life. Your point about going to Afghanistan is really a point about personal choice.

      Living on the grid is not a requirement: it's a choice. I have access to this view because I grew up off the grid, I didn't really plug in until 1995 when I was 18. But in the modern west, we tend to see electricity, running water and computer access as being basic standards of living, and they aren't: they're choices. If one chooses a different style of life, once can happily avoid the grid.

      I guess I'm not really making an argument here, just thinking out loud, but it's interesting. Thank you.

      ~cHris
  12. UK and US by Morosoph · · Score: 1
    I'm aware that my example is from the UK, rather than the US, but authorities are really pretty much the same everywhere.

    Only in some places, they get away with more than in others.

    --
    Wikileaks, no DNS
  13. What about gov computers? by Anonymous Coward · · Score: 2, Insightful

    Will the government be required to disclose computer breaches? Will the public be informed? Who will get the fine or jail time when a computer breach occurs on government computer systems and no one reports it? Maybe this is to help fight the war on terrorism?

    The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, and Veterans Affairs. The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004.

    IRS Leaves Taxpayer Data Largely Unprotected: http://it.slashdot.org/article.pl?sid=06/04/07/194 2259

    1. Re:What about gov computers? by ScrewMaster · · Score: 1

      Will the government be required to disclose computer breaches?

      Highly unlikely. After all, telling us about it would would, in itself, be a breach of security, right?

      Will the public be informed?

      Probably not.

      Who will get the fine or jail time when a computer breach occurs on government computer systems and no one reports it?

      Well, I don't know about fines or prison terms but I'm sure a few administrators might get passed over for promotion.

      Maybe this is to help fight the war on terrorism?

      How, exactly? You fight terrorism by shooting the people that actually blow things up (assuming they don't succeed in blowing themselves up in the process, accidentally or on-purpose) and treating the rest of the people with respect so that they don't also become terrorists. What that has to do with our personal information I have no idea, although I'm sure the Bush Administration will find some way to link our credit card statements to terrorism.

      --
      The higher the technology, the sharper that two-edged sword.
  14. Hooray for unfunded mandates! by RyanFenton · · Score: 3, Insightful

    I'm certainly no libertarian - and I hate the way that information about myself and my choices is being traded and used in the marketplace... but this seems like an unfunded mandate by way of criminalizing inaction after the fact. Seems more like a tool so that the government can punish people who embarass them after the fact, rather than an active step to secure this information.

    If they want to secure this information, either make it all illegal to use and hold in insecure ways (like on a networked computer), or fund a method of secure use of this information. Punishing the innevitable breach of security in the marketplace after the fact won't change the fact that such breaches are innevitable, and I very much doubt such punishments will improve this particular marketplace.

    Ryan Fenton

  15. change the requirements... by freedom_india · · Score: 3, Insightful
    If am running a company, i would store exactly 9,999 records per database schema and ASP the rest.

    That way breached don;t affect me.

    Any concern that stores even a single record about anyone who is not an employee should be forced to disclose the details to the Feds and to the people whose records were compromised.

    The company should then be prevented to store any such records for the next decade. In addition the maximum of 250K should be automatically payable within 15 days to such people.

    Failure to pay the amount would result in jail time for the CEO and CTO.

    What am i talking? Laws are not made for logical reasons... laws are made in smoke filled backrooms where my senator can compromise my state's water rights for a few more air bases or National Guard bases....

    --
    "Doing what i can, with what i have." ~ Burt Gummer
  16. The last place left by MarkusQ · · Score: 2, Interesting

    Australia is nice, but it's far from being the "last place left." To pick just one example a tad closer to home, three of the last presidents of Costa Rica are in prison at this very moment.

    "Why?" you might ask. "Do they have particularly crooked politicians down there?"

    No, not really. Their politicians aren't much different that politicians anywhere. The difference is, they have a rather odd custom regarding the laws. When their politicians break the law they investigate, arrest, try, and eventually convict the ones who do it. In other words, they treat their elected officials just like anybody else.

    From what I can tell, as a side benefit, it seems to have a salubrious effect on the rest of the politicians.

    --MarkusQ

    1. Re:The last place left by Internet+Ronin · · Score: 1

      Hrm, I do so love the Caribbean... Maybe I'll look into Costa Rica too. Thanks for the tip. ;-)

  17. Ok, but could you be a little more vague? by Weaselmancer · · Score: 3, Insightful

    requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers.

    If you have enough users, does "cat /etc/passwd" count?

    --
    Weaselmancer
    rediculous.
  18. Another law.... by mikesd81 · · Score: 4, Interesting

    That has great potential to do something..........then they get it backwards.

    Inform the gov't....why? It's the citizens put at risk when this happens. I want to know about it dammit. That's my information they lost.

    Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public, even if the companies are required to do so by state laws. What? Backwards I tell you.

    Don't mind my ranting demeanor. I've been on an ant-gov't rant since I listened to Michael Savage earlier.

    --
    That which does not kill me only postpones the inevitable.
  19. Rep. Senselessbrenner by greenguy · · Score: 1, Interesting

    Senator Sensenbrenner (the same politician that sponsored the infamous Real ID Act)

    This is also the same guy whose immigration bill brought Latinos into the streets in unprecedented numbers to protest.

    That's some record this guy is racking up!

    --
    What if I do the same thing, and I do get different results?
    1. Re:Rep. Senselessbrenner by Secrity · · Score: 1

      Would you expect any less from a Congressman is a lawyor, a right wing Republican, AND heir to the Kotex fortune? He also wants the Supreme Court to be overseen by Congress, one way that he urged to do this was by the creation of an "office of inspector general for the federal judiciary" to watch over the courts. Broadcast Music Inc. (BMI) must like what he is doing as their PAC was his top campaign contributor.

    2. Re:Rep. Senselessbrenner by Anonymous Coward · · Score: 0
      This is also the same guy whose immigration bill brought Latinos into the streets in unprecedented numbers to protest.


      So what? How many of those latinos were legal? 50%? 60%? INS should have been at every protest carding motherfuckers and the illegals should be fingerprinted, retina scanned, and sent home. Come up here again and match a database? Great. Let's start a government owned prison/factory where you can make items for ZERO wages for five years on the first offense and we'll see how many still come up. In addition, veterans of the Iraq war should be given a plum assignment to the southern border with shoot to kill instructions.

      In short: I love it how a group protests when half of them cannot vote and then expect a change. I know in my neighborhood we've been turning illegals in left and right.
    3. Re:Rep. Senselessbrenner by KlomDark · · Score: 1

      How do you turn them in? (Who do you call?) And does it do any good? Is there any response from the agency you are calling?

  20. Old News ... by Anonymous Coward · · Score: 2, Informative

    Data security bills have been kicking around for months now, and House Judiciary is actually running behind the pack. Senate Commerce moved a Smith bill (S. 1408). Senate Judiciary moved bills authored by Chairman Specter (S. 1789) and Senator Sessions (S. 1326). Representative Sterns introduced a bill, H.R. 4127, which was referred jointly to House Energy & Commerce and House Judiciary. Commerce voted it out, but Sensenbrenner has been sitting on it while working on his own bill.

    Every one of the above-mentioned proposals is better than the Sensenbrenner bill. While the Sessions draft is almost as bad, it's likely to take a back seat to the Specter bill. Most importantly, all the alternative bills have process. They've had hearings. They've had markups. They've been analyzed by industry, DoJ, privacy advocates and everyone else conceivable. They may actually be going places. The Sensenbrenner bill is not. It looks more like a cheap stunt to get some media, and ensure some say in the final product, than a serious attempt to legislate.

  21. Tell the people? Oh, no, of course not... by kcbrown · · Score: 1
    Although this bill requires disclosure to the government, it does not require companies to inform the victims of data theft.

    Of course not. If it did, it would be strongly opposed by the corporations, who everyone by now should know are the entities that are really in control of the government today.

    <sarcasm type="biting">
    Yes, this clearly is government of the people, by the people, and for the people. Makes me proud to be an American!1!!11!
    </sarcasm>

    --
    Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
  22. I wonder if ... by MrNougat · · Score: 3, Interesting

    Is the telecom companies' (except Qwest!) disclosure of telephone call data to the NSA considered a 'data breach?' Would that have to be disclosed as well? Or would the president simply sign a set aside for that law so that the NSA could ignore it?

    Face it; it doesn't matter what laws are in place, the federal government can do whatever it wants. I'm actually to the point now where anytime I hear anyone associated with the government supporting A, or insisting that A is true, that I take it to mean that the government intends to do Not A or that Not A is true.

    I don't have a college degree, but I'm going to encourage my children strongly to get their own. Not so that they can get better jobs in the US - so that they can take up legal residence in Canada.

    --
    Web 2.0 == Giant Blogspam Circle Jerk
    1. Re:I wonder if ... by ksheff · · Score: 1

      The telecoms are not prohibited from using, disclosing, or allowing access to customer information in order "to protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services;". This was a part of The Telecommunications Act of 1996. The NSA would just have to convince the telecoms that by giving it access to the call records, the companies would be protecting it's property and customers from terrorist attack.

      --
      the good ground has been paved over by suicidal maniacs
    2. Re:I wonder if ... by ksheff · · Score: 1

      grrr...that should be "their property"

      --
      the good ground has been paved over by suicidal maniacs
    3. Re:I wonder if ... by MrNougat · · Score: 1

      "to protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services;"

      It's unfortunate that politics plays such a big role in determining whether the above is true for a given request. I expect that when that was written in 1996, more concrete evidence of threat was intended to be required.

      Now, it just depends on whether the person who makes the decision buys into the hype and fear-mongering the current administration has been delivering for five years.

      --
      Web 2.0 == Giant Blogspam Circle Jerk
  23. We need some open state rebellion by MikeRT · · Score: 4, Interesting

    Congress passes laws all of the time that it has no constitutional authority to enact. The states should just flat out ignore these laws and go on their merry way. If the feds try anything, many states have more than enough law enforcement capabilities to overpower federal law enforcement and the loyalty of the guardsmen in the NG is going to be first and foremost with their families and communities.

    The states need to start knocking the feds down a few notches on the totem poll through things like not taking mandates, arresting DEA agents on capital murder charges for killing people in no-knock raids and things like that.

    1. Re:We need some open state rebellion by Internet+Ronin · · Score: 1

      Some open rebellion period would be nice. I'm a firm believer in power structures being a two-way street, i.e. that it can only be given up, not really taken away, though there are so many open arms to those who would give it. What really gives me the willies is that this will probably pass, and one more little nugget of freedom will be passed through the American intestinal system, into the toilet of government. Personally, I'm always hoping for a population leveling event. Sick? Maybe, but I think it'd help.

    2. Re:We need some open state rebellion by yosemite · · Score: 1

      Werd, however you know that the NSA is on your ass dude! hehe but seriously, think about how much money the government wastes on bullshit (aka $1 trillion war). Each state would be better off on it's own, or perhaps with a weak federal government.

      Divided we stand, better!

    3. Re:We need some open state rebellion by Anonymous Coward · · Score: 0

      This is something that repealing the 17th Amendment -- direct election of senators -- would fix. At first I thought this was only talked about by crazy people, like Zell Miller, but there may actually be a case for it.

      If the State Legislatures are picking the Congressional Senators, how many unfunded mandates, or "oh yea, we superseded any state laws again" laws would be passed ? The check and balance that keeps the federal government from running roughshod over the states was removed when the 17th amendment made the public elect the Senate -- all in the name of a more democratic system.

  24. Time to get a new job by Zadaz · · Score: 3, Insightful
    Time to get a job with the Feds. They can't possibly have enough people on staff to respond to/enforce all of these laws. Just think how many people it takes to go through those tens of millions of phone calls from the hundreds of thousands of terrorists in the US.

    Seriously though, it's a shame they'd override the states rights. The only reason most data thefts see the light of day nationally is a California law that makes them do it. If you live in California, the company is required to notify the effected people that their data was mishandled.

    If they want to encourage tighter security, seems like bad PR for a whole company is at least as effective as sending some dork to Federal PMITA prison.

    I haven't looked up the numbers but I'd bet the penalty for having a stolen database would be worse than actually stealing one.

  25. not if 30% are foreigners by cheekyboy · · Score: 1, Offtopic

    If 30% are foreigne students, they are not citizens, then the 10000 count is really 7000.

    But we dont expect politians to have a brain cell bigger than a turtle.

    Come on gen-xers, if your dad is a evil polly, tell him to get a clue.

    --
    Liberty freedom are no1, not dicks in suits.
  26. Alright, it's not funny anymore you guys! by HackNack · · Score: 1

    Hey, this could be a good thing. They're probably just making sure that everyone is protected. I mean, why do we need to know? We are the government!

  27. Why not? by PingXao · · Score: 2, Insightful

    There are already many laws on the books that basically say to the people: you don't have any right to know about (fill_in_the_blank). What's one more? Want to know why you're on a do not fly list? Sorry, can't tell you that. Want your congressman to investigate exactly how far the president's seceret domestic program goes? Sorry, you're not allowed to know that. Want to know why gubmint investigators are snooping around your life? Sorry, can't tell you that. Want to know what crime they are going to charge you with? Sorry, that's none of your business. Want to know why the feel the Constitution doesn't apply anymore? Sorry, none of your business. Want to know exactly who they consider a terrarist? Sorry, you don't need to know that. Want to know if the gubmint has broken into your home looking to plant evidence against you? Sorry, you don't have a right to that information.

    Well fuck that. If Americans are willing to cede so much control to the gubmint and don't give a damn enough to see to it that the people who say "trust us" can actually be trustes then they deserve every single damn thing that happens to them, and I count myself among them, unfortunately. Democracy and freedom. Government of the people, for the people and BY the people. It was nice while it lasted. Now, back to a century or 2 of tyrrany I guess.

    1. Re:Why not? by rkcallaghan · · Score: 1

      If Americans are willing to cede so much control to the gubmint and don't give a damn enough to see to it that the people who say "trust us" can actually be trustes then they deserve every single damn thing that happens to them

      While the underinformed, apathetic voter is truely an epidemic in this country; the simple fact is at this point it doesn't matter. Even when people DO care, one way or another, whether its by free speech zone or supreme court decision; the powers that be will do what they must to remain in charge.

      ~Rebecca

  28. Some things to be aware of... by MarkusQ · · Score: 2, Interesting

    Before you go, you should know a few things about the place:

    • The food is generally wonderful, though not as spicy/salty as in the US
    • They have a higher literacy rate than the US
    • Honking your horn at random while you drive basically means "Hello, nice day, isn't it?"
    • The beaches are what you'd expect in the tropics, but the capital is about 70-75 degrees year round.
    • Petty crimes in some areas are more common than others (don't walk around downtown at midnight with your wallet hanging out of your pocket).
    • Violent crimes over all are less common than in the states
    • They have no army, but a large fraction of the citizens carry guns.
    • The people are generally extremely nice, and very polite
    • They have a better sense of humor than we do
    • Even so, being a jerk is not recommended
    • The national saying translates to "life is good"; unlike "have a nice day" they actually mean it.

    Other than that, it's basically a great place for a vacation. I know some people who went down there on vacation in the mid 1980s, and still plan on going back home to the states someday.

    --MarkusQ

    1. Re:Some things to be aware of... by Anonymous Coward · · Score: 0
      Honking your horn at random while you drive basically means "Hello, nice day, isn't it?"


      I'm glad you told me this, otherwise I'd have issued suppressing fire.
    2. Re:Some things to be aware of... by nosredna · · Score: 1

      "# They have no army, but a large fraction of the citizens carry guns. # The people are generally extremely nice, and very polite" I suspect some relation between these two facts.

    3. Re:Some things to be aware of... by nosredna · · Score: 1

      Let's try it again without me being a moron...

      "# They have no army, but a large fraction of the citizens carry guns.
      # The people are generally extremely nice, and very polite"

      I suspect some relation between these two facts.

      There we go, much better.

    4. Re:Some things to be aware of... by Pseudonym · · Score: 1

      Yup. Because Costa Ricans are nicer and more polite than Amercians, they can actually handle the responsibility of carrying guns.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  29. Now wait a minute here . . . by jhylkema · · Score: 1, Interesting

    This law could potentially allow companies to circumvent and undermine state laws designed to protect consumers from identity theft.

    I thought Republicans believed in state's rights. Silly me.

  30. great by MrZubi · · Score: 1

    All the government needs now is some hackers.

  31. Punishing the "right" wrongs: ID theft for a start by D4C5CE · · Score: 3, Insightful
    Assuming and abusing someone else's identity to burden the victim with the cost and complaints stemming from the perpetrators actions... this is the activity which should clearly be crime, severely and thoroughly prosecuted and punished by sufficiently qualified (i.e. computer-literate) authorities.

    If this means jail time for the "top" several hundred spammers and scammers on counts of identity theft alone, this is only welcome - and actually at least a decade late!

    Crime is best fought by apprehending the criminals, not by gag orders on the organisations who happen to have held enabling information in an insecure manner - which would make it even harder for the individuals affected to show they are completely innocent victims rather than crooks.

  32. Gag Law in disquise by Anonymous Coward · · Score: 0


    Step 1: Body Connected to Government goes snooping. Repugnican Corporate\Religeous program out on a spree.
    Step 2: Idiots are caught and can't brow beat or threaten their way out of dilemma.
    Step 3: Before courts can come into play Government connected body tells Fed about their break in of Database.
    Step 4: Fed miraculously shows up with law in hand punishing victimized database for not telling them.
    Step 5: Law requires victemized database not tell teh world about Repugnican Corporate\Religeous program.

    Solution:

    Friends of the earth ask anyone living here to vote. And to never vote for a Republican.

    Vote for any politician who improves the democracy at home first.

  33. federal legislation falls short by msblack · · Score: 1

    The biggest problem that I have with federal legislation is that it usually falls short of providing real protection to victims. Big business lobbies Congress to pre-empt existing state laws, such as California's, which do require notification of potential victims. So much for the Republican rhetoric about Federalism (state rights--look it up). This is one place I don't want to see interference from the current Congress.

    --
    signature pending slashdot approval
  34. But when... by bm5k · · Score: 1

    ...are they going to protect us from the secret gov't data collection, done without notice or warrants?

  35. News of large hacking group attempting this by noidentity · · Score: 1

    "...requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers."

    I've been hearing recently of the possibility that a huge hacking organization will be hacking into every database and monitoring customers continuously. I think the group is called something like the NSA or CIA or something. But they use some kind of social-engineering attack by repeatedly entering "terrorism" as the password.

  36. Government is as Government does-TOS by Anonymous Coward · · Score: 0

    Point noted. Obviously you're refering to the most recent case. However two things. One phone numbers belong to the phone company, not the customer. Two most people as part of getting phone service usually sign something that allows them to turn customer info over to the government. e.g. my ISP has that as part of it's TOS. Three, were were you when the FBI was tapping phone lines? Bitching NOW about government intrusions when there was plenty of it in the past is hypocritical. Fourth, apparently no one was troubled about government intrusion when it was the Mafia we were going after.

    1. Re:Government is as Government does-TOS by omeomi · · Score: 1

      One phone numbers belong to the phone company, not the customer. Two most people as part of getting phone service usually sign something that allows them to turn customer info over to the government. e.g. my ISP has that as part of it's TOS.

      If it's all legal, how do you explain the $5 billion lawsuit filed against Verizon on Friday that uses the 1986 telecommunications act that gives consumers the right to sue for $1000 for each violation of their confidential records? It might be legal, and then again it might not, but it's certainly not as cut-and-dry as you seem to be suggesting.

      Three, were were you when the FBI was tapping phone lines?

      When, during the Cold War? I was in Junior High, I guess. What did you want me to do about it then? Or maybe you're talking about when Lydon Johnson used the FBI to get Spiro Agnew's phone records? I wasn't born yet, not much I can do about that, either. Or maybe you're talking about when the government spied on Martin Luther King Jr., making public his extramarital affairs? I was also not born yet.

      Bitching NOW about government intrusions when there was plenty of it in the past is hypocritical.

      Only if I had a chance to bitch then, and chose not too.

      --
      ZuluPad, the wiki notepad on crack
  37. Some things to be aware of...Tourism. by Anonymous Coward · · Score: 0

    The above post brought to you by the Costa Rica tourism board.

  38. Yes, but... by Anonymous Coward · · Score: 0

    If they really wished to stop all of these systems being broke into, then they would publish the info.

    If you follow all the systems that are currently broken into, you will find that it is nearly always one OS.

    Also, DOJ should consider following SK's example of prosecuting companies that show that they did not do all that they could. One interesting effect of that law, is that Windows is being dropped left, right, and sideways in SK and companies are moving quickly to Unix, linux, and mainframes.

  39. Only companies? by Helmholtz · · Score: 1

    "...requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers .."

    What about _government_ databases that get comprimised? I think the public should be informed whenever one of those get "infiltrated by hackers", especially since the public is the government's primary paying customer.

    --
    RFC2119
  40. Wish they would follow this by Buzz_Litebeer · · Score: 1

    I wish Americans were allowed to know when there was a breach of their privacy by the government for "terrorism" without having to be notified by reporters.

    Maybe a note "Hey, we are wiretapping everyone and recording who you call for data mining"

    --
    If you don't vote, you don't matter, so don't waste your time telling me your opinion
  41. Started good... by v1 · · Score: 1

    Sounded like a good idea from the first sentence or so. And then in typical congressional style, the more you read of the bill the less you like it. Makes you wonder if that's how the bills are written... starting out with a good noble cause, and being slowly, thoroughly perverted by the special interest groups until it's a seething pile of trash to be voted upon.

    --
    I work for the Department of Redundancy Department.
  42. Bill keeps public in dark for only 30 days by Oonushi · · Score: 1

    Well, after RTFB, I've changed my mind about this *slightly*.

        The bill says, in effect, that if any state laws that require public notification might hinder a federal investigation, then the notification would be suspended for 30 days or until it is deemed not to be an impediment to investigation. Of course, such an investgation could drag on for several months or years before the federal investigators deem it safe to notify the public.

        Otherwise, I'd say that the bill is, in spirit at least, attempting to get a handle on the problem of identity theft due to stolen SSNs (issued by a government administration). Its debatable, however, if this is the right way to go about solving the problem.

        While I understand how this may help in apprehending those involved in identity theft, I don't see this as any real step towards fixing the problem.

        Perhaps it would be better for the government to punish businesses who use SSNs for identification purposes (which they are not supposed to be used for), and force them to use some other identification method. Though, short of starting a national ID system (which the gov is bound to foul up big time), I'm not aware of any decent method of tracking individuals IDs reliably.

    However, my personal viewpoint is that <flame>the US government has become much to bloated, and is being micromanaged to death by legislation that will only lead to tyranny.</flame>

  43. Why prevent companies from informing victoms??? by Anonymous Coward · · Score: 0

    Although this bill requires disclosure to the government, it does not require companies to inform the victims of data theft. Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public, even if the companies are required to do so by state laws.


    A few things about this is troubling given the timing.

    Why are we, the public, not to be informed about data breaches impacting our personal information? Did the govt. recently discover or predict that companies they hired to mine our data might (or did) have a data breach involving at least 10,000 people?

    Just this week, we had the 3rd highest ranking CIA official's home and office raided by the FBI.

    And now, this proposed law seems it is specifically designed to prevent companies from disclosing data breaches that are caused by govt. agencies even if the breach is in violation of laws.

    What prevents this law from being abused?

    If the govt. didn't have so many corruption scandals and if Joe Wilson's wife wasn't "outted", then I'd have no problems whatsoever with them knowing my phone records.

    Another thing nobody is talking about in a related issue (govt. keeping phone records) is whether or not those phone records include Jack Abramhoff, Duke Cunningham, or Scooter Libby!

    But under the circumstances:

    1. do you have confidence the govt. will sufficiently protect your records from data theft? did you ever see the grades received by departments regarding their data security? (think of FEMA not getting even a C-)

    2. do you have confidence the govt. will not abuse or misuse your records? this week, it was reported that a govt. official canceled a contract when the company official made a comment about not liking Pres. Bush--what if our phone record shows a call to a friend's house and they have a teenager who calls a bunch of anti-bush groups? Do we automatically get flagged as a bush-basher and will that cause us financial harm by having doors closed on us?

    3. do you have any confidence the govt. will treat everyone's record equally? for example, do you think they will keep the phone records of Jack Abramhoff or Duke Cunningham or Scooter Libby and make them available to every law enforcement agency requesting those records? Much more importantly, do you think they'll run data mining programs to make connections and diagrams of those people's "circle of friends" the same way they'd do so with our records?

    What are the odds that collecting the phone records of American citizens will improve our security more than preventing the flood of millions of ILLEGAL aliens across our borders? Think about that. They bring up "we're in a state of war" when passing laws that spy on ordinary US citizens but they totally neglect "we're in a state of war" when discussing their failure to secure our borders against MILLIONS of law-breakers coming into our country.

    This bill stinks. Companies that lose our records should be required to inform us that the theft happened so we can take preventive action against fraud. There is no good reason for the govt. to prevent companies from informing the public.
    1. Re:Why prevent companies from informing victoms??? by Siffy · · Score: 1

      Both the summary and your snipet quote are misleading. The SS and FBI can delay informing the victims iff such notice will impede or compromise a criminal investigation or national security. Sure the "national security" clause is likely bs, but the rest is typical and smart. Also note the FBI/SS has to let the owner/company know in writing within 7 days of the reporting that they cannot inform the victims for 30 days. Or until the FBI/SS sees fit... That part kinda blows, but a 30 day delay will be the norm.

  44. Really old vs. less old vs. new Republicans by Chmcginn · · Score: 1

    It always confused me to think that the party that fought a war against state's rights 150 years ago became obsessed with them some 50 years ago. Apparently we've now come full circle, as the CAN-SPAM act, this act, and probably some others I can't think of / don't know about.

    --
    Have you been touched by his noodly appendage?
  45. Feds Covering Their Own Asses by Anonymous Coward · · Score: 0

    "allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public"

    This is more likely to allow the Feds to keep quiet their OWN thefts of personal data from companies. "Hey Bob, we were auditing Scumco's computers on that fraud case, and we found they keep wicked sweet personal details of their customers". "Great, shoot me a copy, Bill, I'll throw them in the pot. And cc a copy to 'The Decider'."

  46. Ugh, Let's Start Our Own Country, Slashdot by Free_Trial_Thinking · · Score: 1

    There's probably enough money between all of us to buy a nice cruise ship, sail into international waters, and make our own good laws! The perfect, sensible country.

    What do you guys say? Someone start the wiki to start planning this.

  47. Mine, All Data Mine by Doc+Ruby · · Score: 1

    So Sensenbrenner requires corporations to disclose ID leaks to the government - that's to Sensenbrenner. He also requires every American to have a government ID, which can be leaked. Sounds like Sensenbrenner is building his own database to exploit, maybe when he retires, or just runs for reelection again - paid for by bribes from corporate ID leakers.

    --

    --
    make install -not war

  48. How do you know? by HermanAB · · Score: 1

    How do you know that a breach occurred? OK, in a few cases there are system logs, but there are bazillions of compromized Windoze machines out there, leaking information all the time. Does every crapware infestation found by Spybot S&D count as a data breach? It probably should.

    --
    Oh well, what the hell...
  49. Stupid, Stupid, Stupid by fredNonesuch · · Score: 1

    This law could potentially allow companies to circumvent and undermine state laws designed to protect consumers from identity theft. Speaking as someone who works in the security field, this is one of the most ill conceived bills imaginable. Most network management organizations are stretched thin, constantly being beaten up over outages and in no mood to take on additional work. Companies have to have strong economic or criminal penalties to offset this situation or it will not change. The ONLY reason companies are starting to take an interest in security issues now is because of the state laws forcing disclosure and acts such as Sarbannes-Oxley and Graham Leach Bliley that have real teeth in the form of criminal penalties for CEOs. I'd support this sort if legislation is if disclosure was mandatory within a short enough period of time to allow for lawsuits. That is enough pressure to start forcing real attention to security needs. As it is, this looks more like a corporate lobbying effort to reverse the state trends than progress.

  50. Supremacy clause by LandruBek · · Score: 1

    [The] summary makes it sound like they can circumvent state legislation. Um, my constitutional skills may be a little rusty, but I'm pretty sure that's what the 10th Amendment was all about.

    This is pretty clearly regulation of interstate commerce -- and thus very much constitutional, so the 10th amendment does not apply. If it is constitutional, it trumps state law because of the Supremacy clause.

    (FWIW, I agree with your first four paragraphs.)
    LandruBek

    --
    $META_SIG_JOKE
  51. Please explain by KlomDark · · Score: 1

    I heard someone else talking about the same topic (direct election of senators somehow being a problem) the other day - I'm finding myself ignorant on this topic and not understanding.

    Can someone please explain how taking the vote for senators out of the hands of people and placing it in the state government will help things? My mind is open on this one. Not slamming the idea, just not understanding how it will help anything.

  52. SK? by KlomDark · · Score: 1

    What is this SK you are speaking of?

    Steven King?
    Super Kmart?
    Saskatchewan?
    Scandanavia?

    Hard to follow an example when you cannot follow the example, as it makes no sense. SK?