Slashdot Mirror
Legislation In the Works To Require Companies To Report Privacy Breaches
An anonymous reader writes with news that a bill is being drafted by Rep. Mary Bono Mack (R-Cal) that would make it mandatory for companies to notify the government within 48 hours of discovering a data breach.
"Mack's discussion draft promises to 'protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.' According to a background staff memo, the Secure and Fortify Electronic Data [SAFE Data] Act, is based on a bill that passed the House in the last Congress. ... Mack spokesman Ken Johnson said there could be a few tweaks before it is formally introduced. 'But it’s safe to say that we are going to have an aggressive timetable in place for moving the bill through subcommittee and full committee,' Johnson said. 'Consumers want something done soon.'"
How about instead of notifying the government, they have to notify their customers, like California requires? Maybe require signup forms to list past breaches?
That'll help keep the newspapers afloat, too!
Who's going to investigate/enforce these cases? The state of California? Somehow I don't think so.
There's already private lawsuits that fit the need, including costs involved.
So this legislation makes it mandatory for them to notify the government within 48 hours... What about notifying customers and/or the general public? If someone steals my private info, especially banking info, I need to know ASAP. If they can still wait a week (or a month) before reporting to customers, this legislation is basically useless.
TFA mentions "nationwide" notification, but not a timetable.
Because it's worked so well the last half-dozen times it was legislated. So well, in fact, that they have to pass another law stating essentially exactly what the previous ones did. How about next time they want to legislate this, they actually pay the enforcement agency, wait a few months for the enforcement agency to do their jobs, then take a flying leap?
Just because you're paranoid doesn't mean they aren't out to get you
"If you plan to shoplift, please let us know. Thanks"
Nothing but a scapegoat to cover up intentional 'leaking' of data to the highest bidder. Then some expendable CIO will get thrown in front of the bus to 'close' the case... rinse repeat.. Just more noise.. You have no privacy
For justice, we must go to Don Corleone
done to protect customers. Because if customers lose confidence in a brand, or a product, a feature or a service,
they're one step closer to realizing they may never have needed the aforementioned item.
make no mistake...this law is being enacted to protect two things:
conspicuous consumption
and the requirement for american consumers to be both poorly educated and wanton in their purchases.
both of these elements are cornerstones in modern american society
upon which our class system is based and our wealth structures maintained.
Good people go to bed earlier.
Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?
Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)
I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.
If they haven't collected enough evidence in 120 hours, then they should pull the plug.
I'd rather you do it wrong, than for me to have to do it at all.
But you see, this requires disclosure upon "discovering" a data breach. I have a feeling a couple of smart ass lawyers and an exec could find loopholes in whatever law may get passed and possibly with some extra unintended consequences.
all these assholes could just stop storing everything in cleartext, and the problem would just go away without needing to involve bureaucrats.
-- http://www.criticalassets.com
If the law is applied, what will do the governement with the tenth of notifications each days ?
Sure Notify the Government and turn over a copy of all the files that might of been compromised, so that they can be um closely monitored for any suspicious activity that might lead to the capture of those terrible evil hackers. Because I love the idea of the Government having all the private info I gave to some company and for the people who breached the companies security as well to have it.
Why not require them to take proper steps to protect the data, not some half-arsed security mirage on the cheap done by the CTO's nephew's brother's neighbor's friend fresh out of CS101? The government could even mandate the corporations hiring a bluehat to give their systems a once-over or hire convicted hackers on a work-release program (it takes a thief to catch a thief, after all) to pentest the defenses and fine if not acceptable.
But requiring notification with today's password reuse not going to help: most people use a single master password (present company excepted), so if one account gets hacked, all of them can be considered compromised. John Doe is never going to track down all his passwords that need changing (too many services used once and forgotten, too lazy, doesn't care, etc.), if he bothers to change any of them.
Hyperbole: I use it liberally!
Agreed - even 48 hours is a bit long in today's digital world and the government would only be a middle-man to who the information needs to get to as you were saying.
If the legislators knew anything about computers, maybe they'd do something smart like require auditing software which detects mass-retrieval of data. That way, in most instances, the leak can be detected immediately instead of potentially not at all like some companies.
Heck - I think it would be better to require them to notify the government and their consumers within 48 hours of the breech regardless of whether or not they have detected it and subject them to a fine based on the severity of the retrieval and how detectable it should have been if it took them more than 48 hours to detect and report.
It won't stop data breeches, but it will make sure decent audit systems are in place.
Well, back to rejecting software patent applications.
Well it sounds like they are talking a data breach not a security breach. Hacker breaks into the server, prods around harmless files attempting to learn what the software setup is just looking around scoping out for his later attack, then signs off with no traces of actually gathering anything, that is one thing. Hacker downloads any CC#'s or other sensitive data, that is a data breach, and it's time to stop fscking around and cut him out and get apology notices ready ASAP.
Idiotic.
Slashdot approved solution to problems: More government control.
Would it apply to such disclosures?
Korma: Good
the legislation, there will be plenty of loopholes. Such as:
* when does the clock begin, when you suspect a breach or when you've confirmed? What if you never confirm, but leave the question open indefinitely? What are the standards for confirmation?
* what about off-shoring data? Jurisdiction?
What we need are comprehensive privacy laws which place copyright for information about a particular person in the ownership of that person. When companies get their asses sued off for copyright violations they'll take data security more seriously.
Comment removed based on user account deletion
It appears the GP suggestion would only fine companies unable to detect massive security breeches in a timely manner giving them free choice of auditing. Are you saying that companies inept enough to not be able to detect a breech shouldn't be fined?
How about a law to require proper titles for acts instead of these stupid acronyms.
- It won't stop data breeches, but it will make sure decent audit systems are in place.
What do pants have to do with this?
Governments do that all the time. When you want to publish a statement but can't make an official announcement, you leak it to the press. Standard operating procedure.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
IMHO, the best way to ensure better privacy practices and data security is to make it a legal liability to lose data. Just fine the company that lost the data a fixed amount (IMHO: $50) per piece of information lost. If someone loses your name, e-mail address, phone number, mailing address, and billing address, that'd be $250 per customer record lost, and maybe triple the fine if customers suffer consequences (e.g. like in the Sony hack). Such a system makes people collect as little information as possible, and the fines give the government incentive to enforce it. Non-commercials are arguably hit disproportionately hard, but I'm personally fine with not giving my e-mail address out to every website I want to use.
More government control is only advocated when private industry has had a chance to fix it themselves and has proven that they act in the opposite of the best interests of the public, despite requests to the contrary. Government control wasn't the first step. But it's the last when the requests for reasonable notification are ignored for decades and only getting worse.
Learn to love Alaska
If the breach was the accident, not the leak. Someone hacking your system isn't an accidental breach. Sending a mass email with all email addresses in the TO: field is a breach of security that was an accident (and has happened plenty of times). The leak is never "on purpose" but an "on purpose leak" is not the opposite of an "accidental breach."
Learn to love Alaska
don't ask, don't tell
That example only sort of works. The accounts and the data on those computers were work related, so the owner of the works being stolen was basically the department. And Cliff Stoll told his boss what was happening, and got permission to proceed. So this is similar to telling the customers their data is being stolen, and then asking them for permission to monitor it while it continues.
Nobody takes you seriously. We all know you're just a piece of online trolling trash per your own admissions thereof here http://slashdot.org/comments.pl?sid=1907528&cid=34543612 because, after all, you even admit to it you trolling online trash scumbag. Fact.
Am I the only one who notices that last part as a bit ... odd?
I mean, from the point of view of someone whose data has been leaked, where is the difference between leakage due to a hacker breaking in or it being published accidentally? There is none. Some "evil" person may have it now.
From the law enforcement's point of view there is a big one. The intention is not to prosecute companies for lax security, the intention is to prosecute someone breaking into the data center of a company. Why else would there be no requirement to inform law enforcement if data had been lost accidentally?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Next time you may want to mention the place/society/country. After reading it I can of course conclude that it might be the US but then it was already too late. I was not interested but had to read all the way to the end.
If the stolen data are the encrypted database tables (e.g. of a software like EncDB) will be required a notification to the government?