Slashdot Mirror
Congress Proposes Data Breach Disclosure Bill
segphault writes "A new data breach disclosure bill proposed by Senator Sensenbrenner (the same politician that sponsored the infamous Real ID Act) requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers. The punishments for failing to disclose information about data breaches to federal law enforcement agents under this new bill include jail time and massive fines. Although this bill requires disclosure to the government, it does not require companies to inform the victims of data theft. Furthermore, it allows federal law enforcement agencies to prevent companies from voluntarily disclosing information about breaches to the public, even if the companies are required to do so by state laws. This law could potentially allow companies to circumvent and undermine state laws designed to protect consumers from identity theft."
When I read this part of the summary:
The punishments for failing to disclose information about data breaches to federal law enforcement agents under this new bill include jail time and massive fines.
My first thought was, it's about damn time.
Then I realized that they probably weren't talking about the sort of "data breaches to federal law enforcement agents" I was thinking they were.
--MarkusQ
P.S. If you missed my insightful post on the "poll says people want the NSA to spy on them" story there's still time to check it out.
Look, who gives a flying fuck if the government knows? I certainly don't. In fact, I'd rather they didn't.
This government is getting way to nosy, IMHO. I don't care what the reason is, I'm sick and fucking tired of being saved from myself. Let me smoke my cigarette in my bar, and masturbate the Islamic terrorist porno, leave me ALONE.
Hey old white bastards, how about a law that requires me to be informed when my companies data has been hacked? Or better yet, why don't you worry about things like maintaining roads. Why is it that the NSA knows what sort of hemorrhoid creme I prefer, and when my girlfriend's periods are, but I can't drive down I-20 for more than 3 hours without needing a new wheel alignment for my car?
How about a fucking law that says I get to be informed every single time my personal information is accessed by the government? Every time I turn on the news I seem to be reading about how the Department of Homeland Security is making sure I'm following the latest terror alerts and that I'm not cooperating with al-Qaida via Xbox Live. I mean, Jesus, what the hell.
Even better, the slashdot summary makes it sound like they can circumvent state legislation. Um, my constitutional skills may be a little rusty, but I'm pretty sure that's what the 10th Amendment was all about.
While we're on the subject, what about the 9th Amendment? I'm pretty sure that that one said that we have rights that may not be explicitly mentioned in the Bill of Rights, and thus, we reserve those rights. It seems like America is serving up it's rights like a Shoney's smorgasbord. It's like 8.99 all-you-can-give-away at the Patriot Act Red Lobster. Jesus.
Douglas Adams once said (forgive my horrible paraphrasing, as I don't have my copy of Salmon of Doubt with me) that Australians often say "We're the last place left mate," and it made him nervous because of the confidence with which he said it. Makes me wanna see if they're right, cuz quite frankly I'm sick of this place. It's not just the politicians, it's the people. How can my vote count if I realize for every vote I cast with some knowledge of the issues, there's fifty people are are being exploited by like-minded zealots whose sole purpose is to acquire power, and seek to retain that power.
Madison, in Federalist 9 & 10, argued that mutual self-intrest will keep the 'factions' in line, draw them towards a central, middle ground, and thus make decisions that are best for everyone. The problem seems to be that no all 'factions' are allowed into the game. At this point, I've got to request that I be allowed to collect my chips and move to another table, cuz I think I'm getting screwed, and all I see is more Dick coming. ~a
Will the government be required to disclose computer breaches? Will the public be informed? Who will get the fine or jail time when a computer breach occurs on government computer systems and no one reports it? Maybe this is to help fight the war on terrorism?
4 2259
The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, and Veterans Affairs. The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004.
IRS Leaves Taxpayer Data Largely Unprotected: http://it.slashdot.org/article.pl?sid=06/04/07/19
Yes, but it also gives the perps more time to use the stolen stuff. I mean, if the fraud is at least reported to credit agencies, they can have a head's up. I mean, it's a lot better for the victim to stop this before money gets spent. And I'm sure the CC companies feel the same way.
I would assume, given your sig, that you already know this isn't the case. This time in history is unique because of the unprecedented level of communication and communication observation ability of most people. If you wanted to get lost in 1890, you could. You can't get lost today. DNA, fingerprinting, mandatory photo IDs, e-mail, telephones, RF communications, purchasing habits. You can be found in America. Sure, if you disappear into some caves in Afghanistan, no one can find you, but the second you plug into the grid in modern America, you're there to stay. Jefferson is rolling over in his grave.
If you want to know the truth, I believe it can be saved, but it's going to take people who aren't self-interested. Or at least not wholly self-interested. I hope to take place in our great political machine, and I suspect that unless things change drastically and quickly, I'll commit political suicide within a few hours. I won't be getting my knob slobbed, but the second I start voting down education funding cuz some wacko Alaskan rep has tacked on an 8.2 million dollar rider to subsidize his mining industry, I'll be hosed.
What happened to the philosopher-rulers that Plato waxed romantic about? That's really where I fear the problem is. The system is too entrenched to be dug out without martyrs. I've happily accepted my future place on the cross, I just hope its not in vain.
I'm certainly no libertarian - and I hate the way that information about myself and my choices is being traded and used in the marketplace... but this seems like an unfunded mandate by way of criminalizing inaction after the fact. Seems more like a tool so that the government can punish people who embarass them after the fact, rather than an active step to secure this information.
If they want to secure this information, either make it all illegal to use and hold in insecure ways (like on a networked computer), or fund a method of secure use of this information. Punishing the innevitable breach of security in the marketplace after the fact won't change the fact that such breaches are innevitable, and I very much doubt such punishments will improve this particular marketplace.
Ryan Fenton
That way breached don;t affect me.
Any concern that stores even a single record about anyone who is not an employee should be forced to disclose the details to the Feds and to the people whose records were compromised.
The company should then be prevented to store any such records for the next decade. In addition the maximum of 250K should be automatically payable within 15 days to such people.
Failure to pay the amount would result in jail time for the CEO and CTO.
What am i talking? Laws are not made for logical reasons... laws are made in smoke filled backrooms where my senator can compromise my state's water rights for a few more air bases or National Guard bases....
"Doing what i can, with what i have." ~ Burt Gummer
requires companies to inform federal law enforcement agencies if a database containing information on more than 10,000 citizens is infiltrated by hackers.
If you have enough users, does "cat /etc/passwd" count?
Weaselmancer
rediculous.
Yes, I already know it isn't the case, hence the rather self-depreciating wording I used.
Not only that, but I was a cog in the machine for a few years, so I know how it works. It really doesn't matter how I try to explain it, nor is it really a big deal of course, but I do have intimate knowledge of the laws and policies that some of these issues are governed by, or at least were governed by at some point in history.
I've said for many years that I do not vote for the simple reason that the voters have been marginalized completely. Right now voting has nothing to do with the real issues that we face, but rather the ones that extract the largest emotional reaction from the public that will benefit one party over another. The fact that we only have two major political parties is also extremely suicidal to our system of government.
In order to have a functional "Democracy" as we like to call it, I believe there need to be at least 4 major political parties, and by major I do mean relatively close to a 25% support number.
I predict we haven't even seen 1% of the abuse potential available to those in power yet, and things are going to get quite interesting during the next 20 years.
All your base are belong to Google.
Seriously though, it's a shame they'd override the states rights. The only reason most data thefts see the light of day nationally is a California law that makes them do it. If you live in California, the company is required to notify the effected people that their data was mishandled.
If they want to encourage tighter security, seems like bad PR for a whole company is at least as effective as sending some dork to Federal PMITA prison.
I haven't looked up the numbers but I'd bet the penalty for having a stolen database would be worse than actually stealing one.
That's a scary thought... and altogether too likely, given the current political climate. After all, who would be more likely to both create a data breach (in the course of an "investigation") AND not want the breached party to tell average citizens about it??
One begins to wonder just exactly who actually authored this bill...
Now look what you've done -- now I've got to get my tinfoil hat refitted!!
~REZ~ #43301. Who'd fake being me anyway?
They'll get black marks on their next performance review because the company was able to determine that there was a security breach.
the good ground has been paved over by suicidal maniacs
There are already many laws on the books that basically say to the people: you don't have any right to know about (fill_in_the_blank). What's one more? Want to know why you're on a do not fly list? Sorry, can't tell you that. Want your congressman to investigate exactly how far the president's seceret domestic program goes? Sorry, you're not allowed to know that. Want to know why gubmint investigators are snooping around your life? Sorry, can't tell you that. Want to know what crime they are going to charge you with? Sorry, that's none of your business. Want to know why the feel the Constitution doesn't apply anymore? Sorry, none of your business. Want to know exactly who they consider a terrarist? Sorry, you don't need to know that. Want to know if the gubmint has broken into your home looking to plant evidence against you? Sorry, you don't have a right to that information.
Well fuck that. If Americans are willing to cede so much control to the gubmint and don't give a damn enough to see to it that the people who say "trust us" can actually be trustes then they deserve every single damn thing that happens to them, and I count myself among them, unfortunately. Democracy and freedom. Government of the people, for the people and BY the people. It was nice while it lasted. Now, back to a century or 2 of tyrrany I guess.
If this means jail time for the "top" several hundred spammers and scammers on counts of identity theft alone, this is only welcome - and actually at least a decade late!
Crime is best fought by apprehending the criminals, not by gag orders on the organisations who happen to have held enabling information in an insecure manner - which would make it even harder for the individuals affected to show they are completely innocent victims rather than crooks.