Slashdot Mirror

← Back to Stories (view on slashdot.org)

CA Senator Pushing For Tightened Data Breach Notification

Posted by ScuttleMonkey on from the more-data-about-a-problem-is-rarely-bad dept.

California State Senator Joe Simitian has introduced new legislation designed to tighten data breach notification requirements, forcing businesses to provide more information about any data that has been leaked in addition to notifying state authorities. What was not included in the legislation was imposed compensation requirements for data breach victims, and according to Simitian are not likely to be for quite some time. "Instead, the next focus of legislation, he said, would likely be on who should bear the cost of sending out notifications to consumers. For example, should a credit card processing company that experiences a breach be responsible for the cost of notifying bank customers? When retailer TJX discovered in 2006 that hackers had accessed credit and debit card numbers passing through its network, banks were left notifying the customers, then had to sue TJX to get compensation for those costs. Heartland Payment Systems, which experienced a breach of credit and debit card numbers in January, has recently been sued by banks to recover their breach notification costs."

29 comments

  1. A good start by Chabo · · Score: 2

    Finally, some good legislation coming from a California politician!

    --
    Convert FLACs to a portable format with FlacSquisher
    1. Re:A good start by BobSully · · Score: 1

      I think it's fair to say that Level 1 merchants are taking PCI compliance pretty seriously, but I'm also sure many are making the trade off against the potential for legal exposure. After their breach, TJX took a nice hit to their stock price (off about 15%), but as it became clear that had little to no customer flight, it recovered well. It makes good sense that the bill for notification costs should be served to the responsible party.

  2. Re:First they came for the credit card companies.. by Chabo · · Score: 1

    Who is this "Chilling" of whom you speak?

    --
    Convert FLACs to a portable format with FlacSquisher
  3. Re:First they came for the credit card companies.. by Hordeking · · Score: 1

    You know who else pushed for tightened data breach notification? Chilling.

    Please. Do enlighten us, Mr. Troll Person...

    --
    Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
  4. Notification is useless by CarpetShark · · Score: 1, Insightful

    What's the point of notifying the public that their data has been lost, when they can't do anything about it? At the very least, they should be able to sue in a class action. Ideally, there should be some government organisation that tracks down the identity/resource thieves, figures out what damage was done without the owner's knowledge, returns things to rights, then bills the company that leaked it for all the trouble caused. If the upshot is that people just get a letter saying they're screwed, then why bother? It's basically just a cop-out.

    1. Re:Notification is useless by Chabo · · Score: 4, Insightful

      Well for one, it means that the company responsible for the data breach is legally barred from initiating a cover-up that a breach ever happened. At least one instance of this has been reported on ./

      Second, if more information is made public, then they will have the ability to make a class action suit.

      --
      Convert FLACs to a portable format with FlacSquisher
    2. Re:Notification is useless by timmarhy · · Score: 1

      it's highly embaressing and can have real business implications, that's why. imagine your the CEO of a million dollar company who's sole business is data warehousing and you have to admit millions of records have been stolen, publicly as well as reporting it to a government department.

      --
      If you mod me down, I will become more powerful than you can imagine....
    3. Re:Notification is useless by Anonymous Coward · · Score: 0

      What's the point of notifying the public that their data has been lost, when they can't do anything about it? At the very least, they should be able to sue in a class action.

      I think you just answered your own question.

      If the upshot is that people just get a letter saying they're screwed, then why bother? It's basically just a cop-out.

      A cop-out? You're not going to sue anyone until you know you've been harmed. Making them tell you what they did to you, is probably the one very best thing they can do to help set things right. It might not work, but it's the best.

  5. Tightened breach by Anonymous Coward · · Score: 0, Funny

    Sounds like that would be useful for goatse.

    Well that's the first thing that came to my mind anyway.

  6. Leaker pays, surely. by James+Youngman · · Score: 4, Insightful

    It's fairly obvious that the cost of informing customers - and other related costs - should be borne by the organisation who failed in their duty to ensure the integrity and confidentiality of the data. After all, until we are at a point where it is cheaper to take the measures to keep the data safe than to be delinquent, companies are incentivised to be delinquent.

    1. Re:Leaker pays, surely. by microbee · · Score: 2, Insightful

      Right, except that all the extra cost from the burden will still be passed on to customers.

  7. I'd be happier to see tighter tech requirements by erroneus · · Score: 3, Insightful

    I'm going to try to avoid the "Microsoft Blame Game" as frankly that gets us nowhere. But I will say that there are some older technologies that work better for transaction processing and storage than some newer, more contemporary systems.

    And frankly, even though some processing and transaction systems are very convenient for both processors and consumers, I think it just might be time to rein in many of these conveniences as implementation of any sort is simply too risky.

    All these reporting requirements are intended to add pressure to companies to take their systems security more seriously, but frankly, they will never listen until you tell them EXACTLY what is expected of them. Businesses are in the habit of managing risk that they feel is acceptable, but the problem is, they don't mind risking other people's data or their lives or anything else if it's not theirs directly.

    When people handle food, the government steps in with inspectors and laws and all sorts of things to help better ensure that your burger will not kill you. This has proven to work pretty well even though it has not stopped violators entirely. The same should be required of people handling sensitive financial and other personal information.

    1. Re:I'd be happier to see tighter tech requirements by Thinboy00 · · Score: 1

      The problem is that most voters are too stupid to understand what you're talking about, whereas food is another story entirely. Also there's lobbyists, as usual.

      --
      $ make available
  8. why do they store credit card number by Anonymous Coward · · Score: 0

    Stores should not store credit card number. Unless there is an intention to trade privacy information with ad agency(internal or external). In such cases the law is good, that it penalizes the data keeper.

    However there are other ways to limit the affect of data theft. The credit card company company should accept a hash of name and the credit card number as the card identifier. Stores should not be required to keep credit card number in plain text.
    In this architecture it will be practically unusable to steal and use credit card number data. When fully implemented stores should not be forced to reveal every data theft. Imagine with this law, one rogue employee can affect a large chain store that employ thousands of people.

  9. Notification is toothless, but not useless by schwaang · · Score: 4, Insightful

    Having received one such notification, it prompted me to keep a closer eye on my credit report and weigh the option of freezing my credit report, thus making it harder for anyone to use my personally identifying info to borrow money under my name.

    In my case, a previous employer who was breached explained the circumstances (something they never would have done without the law), and offered to pay for credit monitoring (not required AFAIK). A very responsible approach to their mistake.

    A friend who was hit by the Univ. of CA breach was notified because of the law, but not offered monitoring.

    These notifications were useful to the affected individuals, even if their expense alone may not in itself have been enough to motivate better security procedures at the breached organizations.

    And obviously, if it happens again soon at either organization, people will raise hell.

    Its a start.

  10. Which is exactly how it should be. by Okian+Warrior · · Score: 1

    Right, except that all the extra cost from the burden will still be passed on to customers.

    Which is exactly how it should be. Customers will then switch to the more secure service providers because they are cheaper.

    This is even true if the "customers" are other corporations, such as banks.

    Making the responsible party bear the cost of their mistakes is an incentive to make fewer mistakes.

  11. I'd like to see a data purge law by NotQuiteReal · · Score: 3, Insightful

    Notification of a "breach" is all well and good, but in many cases there shouldn't be as much data to breach in the first place.

    A recent personal example makes my point; I am a bit disturbed that both the University I graduated from decades ago, and the guy a bought a car from 3 years ago, both send me birthday cards... I don't find it a nice gesture, I find it just wrong that they have retained my personal ID info for their marketing purposes. Therefore I will stop donating to the university and I will not buy a car from that dealership again. (It's not like I signed up for the "birthday club" or anything. Obviously they have "mined" my data collected for other purposes.)

    Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.

    --
    This issue is a bit more complicated than you think.
    1. Re:I'd like to see a data purge law by WCguru42 · · Score: 1

      Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.

      The lawyers will have a field day with the definition of "legitimate reason." The law needs to be more specific, something like if I tell you to drop my data you do it. I know it takes some customer action, but it's a hell of a lot better than we have now.

      --
      "Educate the mind but never at the expense of the soul."~Blessed Basil Moreau
    2. Re:I'd like to see a data purge law by NotQuiteReal · · Score: 2, Informative

      Thank you for pointing that out; The law needs to be more specific

      As a programmer, I should know that. If there is anything more pedantic than a stupid compiler, it's a fuckin lawer. Those guys must be idiots or assholes (Note the ambiguity of "fuckin" versus "stupid". It all depends on whether you've hired one to attack you or defend you - "fuckin" can be a good thing or bad.)

      --
      This issue is a bit more complicated than you think.
    3. Re:I'd like to see a data purge law by triffid_98 · · Score: 1
      Please allow me to explain Homeland Security again...

      Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.

    4. Re:I'd like to see a data purge law by rgarbacz · · Score: 1

      You hit the nail. The personal data should be collected only when required to process any contract/transaction (only to the necessary extent) and deleted afterwords.

      I also find it disturbing that anytime I express my willingness to buy something more expensive, there is no way to move forward without providing my address, and a telephone number.
      The sellers do not even want to talk without this information. Later I get a few "happy" calls per day with offers of some kind. It is pretty annoying, and takes my time.

      I understand ads on TV, but calling someone, taking someone's time is much too much.

    5. Re:I'd like to see a data purge law by qwijibo · · Score: 1

      Currently, whoever collects data about you owns that data. We have no real rights about how that information is used, which is why most of it is sold for marketing purposes. There are some rules, like companies aren't supposed to store your credit card details without your permission, but many of them do because it's cheap to store and the information may be useful in the future.

      The difficulty comes in defining what information is legitimate and why. For example, if I place an order online, they need my billing information long enough to process the transaction and some subset of the information in case there are problems with the order, etc. When you send in warranty registration cards, all of that information is being collected and sold for marketing purposes. If you send in the information, you're agreeing in a sense to the reason they want it. However, when it's sold over and over to various other companies you have no interaction with, you're completely out of the loop. The problem any law is going to have is that the consumer doesn't own their own information, so they have no real recourse or way of even finding out who all of that information went to.

    6. Re:I'd like to see a data purge law by qwijibo · · Score: 1

      If you value your privacy, you have to take measures to protect it. You can get a private mailbox for everything that wants an address and a phone that you give out freely, but don't bother answering unless you are expecting something.

      Basically, you draw a clear distinction between your real life and your consumer persona. So you end up with a mailbox full of crap? If you know what you're looking for, you just throw away the rest. Same goes with answering machines on your line you give out to everyone - if you're not expecting a call, erase all every couple of weeks and you're all good.

  12. Do we need more point solution laws? by lbhuston · · Score: 1

    I think that instead of all of these point solution laws that we keep passing aimed at specific facets of the consumer data protection process, we should put together a working group to pass a comprehensive law that addresses the real root problems. Such a comprehensive approach could address items such as time to live, how data may be used/mined/obtained, information protection requirements, privacy and notification mechanisms and responsibilities for all parties concerned. Maybe if we take a wider, deeper look at the real problem, we can find ways that the law could really help protect consumers instead of just giving PCI Council, attorneys and others more "buttons to push". I am a big supporter of addressing the real root of the problem, but the legal and regulatory landscape around data protection and privacy is already so confusing for average organizations, that while loaded with good intention, anything less than a comprehensive approach at this point is likely to make the situation more difficult. Legal approaches also need to consider that according to the Verizon breach report for 2009, around 66% of all breaches happened around data that organizations didn't even know they had and 75% of breaches were identified by third parties outside of the victim organization. Until we can establish legal requirements that tie security groups to lowering those numbers, in my opinion, all else is likely to fail anyway.

    --
    Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
  13. How about holding the companies accountable? by cyberprophet · · Score: 1

    Why isn't there legislation in place to hold the companies accountable for your data loss if they were not taking appropriate precautions against data loss or breech? As someone who has had data compromised twice in the last year (once through my mortgage company and once through my employer) I feel that being notified promptly is a good first step but making companies accountable for their inaction would be more apt to prevent these events in the first place.