Slashdot Mirror
Governator Kills Data Protection Law
eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."
But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
What about automatically recurring bills, like web hosting.
Libertarian Leaning Political Discussion Forum.
I guess the above isn't illegal anymore, right Taco?
C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...
Bow-ties are cool.
How do one "kill" a law, really? Bah -- surely, Arnold must have terminated this law.
Beware: In C++, your friends can see your privates!
Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").
You can never go home again... but I guess you can shop there.
Here's the printer friendly version, with (somewhat) fewer advertisements.
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp
(posted as anon to avoid Karma whoring)
Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.
Seems like a lot of companies out there today do not give the proper effort required to make even rudimentary considerations to the security of client data. This reminds me of an experience I had a few weeks ago. This is 100% true. I was sitting in a subway station waiting for a train. I sat down on a bench and noticed a plain unmarked vanilla envelope sitting on the bench next to me. There was no one else around so it was obvious whoever it belonged to had left it. I opened it and discovered it was several pages of customer records for a hotel chain (don't remember which). It had their names, what nights they had stayed, some additional information, and their FULL credit card numbers they had used to pay printed next to the names. I was amazed that someone would just leave this kind of information lying around anywhere for anyone to find.
The real "Libtards" are the Libertarians!
So
What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.
With the increase in "identity theft" it should be apparent to anyone that the "marketplace" is not capable of regulating itself.
All a "marketplace" does is ensure that those with the most power KEEP the most power. And right now that is not the credit consumer.
... It's a Total Recall!
-- thinkyhead software and media
When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.
So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.
Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.
I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.
These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.
With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.
Laws have consequenses. And someday the consequence may be your job.
Then-Lt. Gov. Cruz Bustamante was the biggest candidate that he faced, and that was a very, very poor choice.
Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of closed-door, secret meetings selling off the state's future.
You can never go home again... but I guess you can shop there.
All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.
Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Actually, his biggest opponent was Davis. Over 40% of the people voted to NOT recall him. If the courts hadn't made the braindead decision that he couldn't be on the general recall ballot, he probably would have been recalled, then rewon the election.
I still have more fans than freaks. WTF is wrong with you people?
The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned. In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code. That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare). The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone. If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
Hey, don't bash Arnie! Judging from Bush, the way he butchers English he could be President if he was born in the USA.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Football Odds
I, as an individual, prefer to be responsible for protecting my own data
Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once with these guys then they have you pegged for the rest of your life. It is practically impossible to avoid the information brokers without living under a rock and paying for everything in cash.
Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.
Your calulations are overly simplistic.
You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.
As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.
If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )
Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.
The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"
and more...
Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.
This is my sig.
Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.
I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.Most of my customers are small businesses which also process credit cards. What you have to remember is the controversial portions of the law are *already* requirements for small businesses which process credit cards. I invite you to read the PCI-DSS 1.1 (and yes, there are a lot of non-compliant small businesses out there).
Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violations resulting in theft of sensitive cardholder information. Many smaller fines are levied against businesses who are required to certify their compliance with third parties (these are either larger businesses or those who have had past problems).
This isn't about an attack on smaller businesses. Businesses *should* be doing this already. If they don't they are already risking their continued operations. Hopefully such a law would help build awareness of these sorts of problems and help small businesses actually avoid problems. Yes, compliance is a bear, but already the costs of noncompliance, as levied by Visa/Mastercard are sufficient to drive small businesses out of business.
LedgerSMB: Open source Accounting/ERP
The PCI-DSS 1.1 states: 5.1: Deploy anti-virus software on all systems commonly affected by viruses (particularly personal
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine] Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.
LedgerSMB: Open source Accounting/ERP
I wonder if he gets a speech trainer to help him _keep_ his accent.
After all just imagine what would happen if he loses his accent. Imagine an Arnie movie with Arnie speaking in English but without his accent.
They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Well as a business owner of course it's good for you if somebody else absorbs the cost of the risks you take.
So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.
Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable steps to protect it, it costs him a great deal, in lost credit, reputation, and personal anguish. How much of the dollar cost are you responsible for? Surely not all -- the identity thieves themselves must bear most ofthe responsibilty. On the other hand, surely not zero, for the customer would never have been exposed to the thieves if it weren't for your failure to take reasonable steps.
It's clear you bear some responsibility, but the fact there is no way to quantify your contribution to the customer's loss bears on a bug in the law. If the damages cannot be quantified, you are completely off the hook as far as liability is concerned. The customer can get injunctive relief. The courts can say, "stop doing that." But that's it.
One thing the legislature can do is specify a standard damage figure. Let's say that your negligence leads to identity theft of a customer. They can say that if you negligently contribute to that, you are responsible for $1,000 of "per se damages", whether the total actual damages suffered by the customer are $100,000 or $1,000,000. It sounds reasonable and manageable. It may be enough (in aggregate) to motivate your less morally scrupulous competitors to match your principled investment in customer security.
But remember the anguish suffered by the customer? The humiliation? The year of his life devoted to dealing with a stupid credit rating crisis? Once he has handle on your for the $1,000 of damages, he can also add the cost of those things, plus payback.
This leaves us with three options.
Option 1: leave things as they are. This is good for your unscrupulous competitors, maybe not so good for you. Definitely bad for consumers (including you in your role as consumer).
Option 2: specify "per se" damages. Unfortunately, you'll never know how much protection is "enough". Enough is enough to convince any conceivable jury you did your duty. Better add to your liability insurance.
Option 3: regulatory oversight. Expect having to file data security reports.
Which approach is least burdensome to society as a whole? Which of these can businesses manage to deal with? Overall, a well designed regulatory regime is probably the most predictable and manageable. On the other hand, it's always possible for regulations to be drafted that don't do the job and cost a lot of money. It depends on who is running the regulatory agency, in this case, ultimately, the governor of California.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Goodness, we don't want to make businesses pay money for stuff.
Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.
They also have no problem making billions exploiting the data they spent so much money accumulating and processing.
Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.