Slashdot Mirror
Governator Kills Data Protection Law
eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."
C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...
Bow-ties are cool.
Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").
You can never go home again... but I guess you can shop there.
Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.
So
What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.
With the increase in "identity theft" it should be apparent to anyone that the "marketplace" is not capable of regulating itself.
All a "marketplace" does is ensure that those with the most power KEEP the most power. And right now that is not the credit consumer.
When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.
So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.
Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.
I can imagine that in the state of CA there must be a ton of internet businesses just dying to sell user data. And a lot of those companies will be directing some of their new revenue to the governor that made it all possible. If he can put an 'anti red tape and government bureaucracy' face on it, all the better.
All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.
Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We need to have some level of protection when we give our information away. I seen all of the bad example out there even for the big companies like TJX. But for the small and medium size business they don't have the resources, or at least want to release these resources, to protect this data in this manner. I understand this from both side and the legislature should create a bill that has this protections for the consumers but for the small to medium sized business which can prove that they cannot afford such a system that they some for of tax break or something so they can get the system to protect us in California and hopefully this will spread to to the rest of the country.
The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned. In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code. That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare). The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone. If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
Football Odds
I, as an individual, prefer to be responsible for protecting my own data
Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once with these guys then they have you pegged for the rest of your life. It is practically impossible to avoid the information brokers without living under a rock and paying for everything in cash.
Your calulations are overly simplistic.
You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.
As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.
If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )
Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.
The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"
and more...
Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.
This is my sig.
Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.
I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Well as a business owner of course it's good for you if somebody else absorbs the cost of the risks you take.
So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.
Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable steps to protect it, it costs him a great deal, in lost credit, reputation, and personal anguish. How much of the dollar cost are you responsible for? Surely not all -- the identity thieves themselves must bear most ofthe responsibilty. On the other hand, surely not zero, for the customer would never have been exposed to the thieves if it weren't for your failure to take reasonable steps.
It's clear you bear some responsibility, but the fact there is no way to quantify your contribution to the customer's loss bears on a bug in the law. If the damages cannot be quantified, you are completely off the hook as far as liability is concerned. The customer can get injunctive relief. The courts can say, "stop doing that." But that's it.
One thing the legislature can do is specify a standard damage figure. Let's say that your negligence leads to identity theft of a customer. They can say that if you negligently contribute to that, you are responsible for $1,000 of "per se damages", whether the total actual damages suffered by the customer are $100,000 or $1,000,000. It sounds reasonable and manageable. It may be enough (in aggregate) to motivate your less morally scrupulous competitors to match your principled investment in customer security.
But remember the anguish suffered by the customer? The humiliation? The year of his life devoted to dealing with a stupid credit rating crisis? Once he has handle on your for the $1,000 of damages, he can also add the cost of those things, plus payback.
This leaves us with three options.
Option 1: leave things as they are. This is good for your unscrupulous competitors, maybe not so good for you. Definitely bad for consumers (including you in your role as consumer).
Option 2: specify "per se" damages. Unfortunately, you'll never know how much protection is "enough". Enough is enough to convince any conceivable jury you did your duty. Better add to your liability insurance.
Option 3: regulatory oversight. Expect having to file data security reports.
Which approach is least burdensome to society as a whole? Which of these can businesses manage to deal with? Overall, a well designed regulatory regime is probably the most predictable and manageable. On the other hand, it's always possible for regulations to be drafted that don't do the job and cost a lot of money. It depends on who is running the regulatory agency, in this case, ultimately, the governor of California.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Goodness, we don't want to make businesses pay money for stuff.
Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.
They also have no problem making billions exploiting the data they spent so much money accumulating and processing.
Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.