New Legislation Would Punish Mishandling of Private Data

An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"

Credit agencies also!

[shipofgold]

They also need a law that will ding the credit agencies when they get it wrong....

Re:Credit agencies also!

[Oxford_Comma_Lover]

They also need a law that will ding the credit agencies when they get it wrong....

Also need?

This isn't a law. It's a piece of proposed legislation. Which usually means something someone can point to in order to say "I support X" while knowing full well that X will never actually be law.

In all likelihood, it has already been referred to some obscure subcommittee and will never be heard from again. (Disclaimer: I'm not sure offhand if he is on the obscure subcommittee, in which case it obviously has a slightly better chance.)

Re:Credit agencies also!

[im_thatoneguy]

More consumer protecting, job killing regulation!? Socialist!

Oh, great .... now, instead of

[Jerry]

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

Re:Oh, great .... now, instead of

[blair1q]

And you have a better rulemaking system?

Re:Oh, great .... now, instead of

[mr1911]

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent, evil intent group of people on the planet?

FTFY

Re:Oh, great .... now, instead of

[chuckinator]

Selling to the government already requires companies to make their products conform to the FIPS 140 and Common Criteria for Information Technology Security Evaluation, and these are very sane standards for network security and handling of sensitive user information. I suspect that they're going to use these already existing NIST standards as a reference for their rules. It'd help if you had more salient information to dispute the competence of government in this specific subject matter domains than the "government BAD" knee jerk reaction.

Re:Oh, great .... now, instead of

[edmanet]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

Re:Oh, great .... now, instead of

[djdanlib]

You'd REALLY like to think so. So would I. Unfortunately, all of history proves that your average (key word: average) customer is about as smart as a bag of rocks. All you need to do is give them a good sales pitch, and they don't even bother to read the fine print on the paper you hand them! It's really sad and one of the reasons I needed to get out of retail so long ago.

Re:Oh, great .... now, instead of

[eldepeche]

FTFY

By making it grammatically incorrect?

Re:Oh, great .... now, instead of

[Mad+Merlin]

Maybe this will provide disincentive to companies that simply snarf up all possible personal data because they can (I'm looking at you, Facebook). This is by far one of the most annoying trends as of late. That's why Game! doesn't ask for any personal information (because it doesn't need it) and makes email optional (if you want to be able to recover your account). Perhaps others will follow suit...

Re:Oh, great .... now, instead of

[eldepeche]

So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

Re:Oh, great .... now, instead of

[Overzeetop]

The law will likely make no distinction in the kind of information - once they have your name, they will have to comply. And, hell, if they have to comply they may as well get as much as possible so they can sell it.

Re:Oh, great .... now, instead of

[Entrope]

Sure: A liability system. If a company leaks my private data due to insufficient care, let me sue them (either individually or as part of a class) to help restore the security of that data, or at least to compensate me for the loss. Instead of saying "thou shalt follow these rules", just say "thou shalt have effective controls", and let companies or industry groups figure out how to live up to the duty to protect private data.

Re:Oh, great .... now, instead of

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

Damn, I must have missed that memo announcing the death of democracy.

Re:Oh, great .... now, instead of

[interval1066]

Uh... better than nothing at all?

Re:Oh, great .... now, instead of

[poofmeisterp]

So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

Who cares?

If you want to just act without thinking or analyzing, you're utilizing trust.

When you trust, you can be screwed over if you don't know who/what it is you're trusting.

Get smart or get..... fart. Ed. On. :)

Re:Oh, great .... now, instead of

[uniquename72]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business ... More laws are not always the best answer.

Obvious problem: There's no impetus (without laws) for any company to ever tell you that they've lost your data. So your model fails completely.

Re:Oh, great .... now, instead of

[MightyMartian]

You think that's bad, wait to you see a Libertarian apply the logic of that numb-nut poster to, say, medical doctors or engineering firms. I debated a guy on here a few weeks ago who was defending the idea that building code enforcement wasn't required, and people should be able to build however they like, and if their house falls down and damages the next door neighbor's property, the neighbor can always sue.

In short, Libertarians are fucking morons. Either that or sociopaths.

Re:Oh, great .... now, instead of

[poofmeisterp]

FTFY

By making it grammatically incorrect?

They dun americanizdeded it tthat makes it gramarticalicly kerrect!

HUMOR, HUMOR.

Re:Oh, great .... now, instead of

[eldepeche]

Without the government to sort out conflicts and enforce penalties, everyone has to trust the companies they do business with as well. You can do all the analysis in the world, people are still going to screw you over. The government can't be 100% effective, and neither can a customer. They can either invest huge amounts of time researching data retention policies (and eventually get burned anyway), or get repeatedly screwed over, or withdraw from the non-cash economy.

Of course, the main difference is that without government regulation, you have more people to insult for getting conned.

Re:Oh, great .... now, instead of

[SomePgmr]

I really do want to agree with you, but I don't think that'd play out like that.

If they get hacked enough, they go out of business.

You'd think after months of regular hacks, service downtime, DoS'ing, compromised customer info published all over, a long history of screwing their customers, etc., Sony would've been a prime candidate for this. Instead they hired a token g-man and went on with business as usual.

Do the customers get hurt? Sure. They get smarter too.

Again, I wish they would... but that doesn't seem to be the case. When a customer weighs their privacy and financial security against being able to play call of duty... well, we know what they go with.

Re:Oh, great .... now, instead of

[hrvatska]

Who, specifically, would decide what constitutes the rules of insufficient care? Who are 'companies or industry groups'? Why can't consumers sue now? Who decides how much a breach is worth?

Re:Oh, great .... now, instead of

actually, all Congress would need to do would be to allow any entity where the data breach involves people outside of the entity's state (for single-state companies only doing business with other people in that state, they should sue in state court) that let this happen to be sued in Federal Court for tort damages, as it regards interstate business transactions.

Re:Oh, great .... now, instead of

[mr1911]

That was a special present for the grammar patrol.

Your welcome!

(Poor grammar is the gift that keeps on giving.)

Re:Oh, great .... now, instead of

[trout007]

So let me get this straight. Most people are too dumb to make import decisions about things. But somehow they are smart enough to vote for people that are smart enough to be able to make rules that force them not to do things they would otherwise do? That doesn't make sense. If they are too dumb to make important decisions what particular magic happens in the voting booth that makes them able to figure out who to vote for?

Re:Oh, great .... now, instead of

[webheaded]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

I think the real point here is that I shouldn't have to keep getting screwed when I have absolutely no say in the matter. I don't KNOW what a company's internal security practices are like so how the hell am I going to be able to do anything about it? What you're saying is ridiculous. You can't know until it is too late and that doesn't seem to really convince anyone else but the company that was attacked to actually do something. So no, your "Darwin" system fails in my mind. I don't see that would ever work in the real world.

I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

Re:Oh, great .... now, instead of

Why can't they be both?

Re:Oh, great .... now, instead of

[djdanlib]

You're on the path to the uncomfortable realization that the vast majority of people don't care to be smart, because it's hard and doesn't immediately benefit them. Laziness trumps everything else.

On average, people aren't smart enough to vote for anyone who will lay down solid foundations. They're too lazy and/or selfish. Instead, it's a giant game of I'll-scratch-your-back-if-you-scratch-my-back based on the hot topics, like tax breaks and all that entertaining mud slinging. Poll around, see how much people know about the politicians they voted for. You'll be surprised. Did they get the bulk of their information from TV commercials and office talk around those? Yeah... they did. Did anyone look a their elected representatives' voting history? I bet not.

So occasionally someone smart DOES slip through the cracks, or someone in office has a really good idea, and then they put forth a smart bill that actually protects people. Or, some news article gets a lot of coverage somehow, and turns on the spotlight, and the politicians decide they'd better do something that looks good. And then they bicker over it, and add riders, and eventually kill the whole mess outright, thus preventing us from getting most of the laws that would have protected the average person from his average laziness. Sometimes something good does happen, like the Credit Card Reform Act, or the one for student loans. Those are statistical outliers, because people just don't care about each other or themselves enough to get un-lazy and learn about these people they are voting into office!

Re:Oh, great .... now, instead of

[Entrope]

Courts would decide whether a data holder fulfilled a duty to protect data they hold, just like they decide (as necessary) whether people or groups fulfil fiduciary or other duties under other laws.

Companies are companies. Industry groups are what companies form when they have a common problem to solve, and working together to solve that problem is better than trying to solve it separately. (Courts might accept industry standards as sufficient care, or they might not. I would just expect companies to come together to try to figure out how to address security, because it would probably be acceptable under antitrust law and it lets them air out potential protection schemes.)

Consumers cannot sue right now because they have no property rights in this data, and they do not suffer harm when the data is lost -- they only suffer (actual) harm when the data is misused, and the company that loses the data is approximately never the entity that engages in identity theft.

Putting a dollar value on a breach the hardest part of the scheme, but somehow we put price tags on other intangibles (such as intentional infliction of mental distress). I expect there would be arguments back and forth over the valuations, but that those would be no worse -- and probably better -- than what we see for things like medical malpractice.

Re:Oh, great .... now, instead of

[lgw]

That's very true. But it's always better to regulate the goal, not the method. Fines for data loss are useful, governmnet-specified security procedures? Nearly useless. Heck, there's a stupid amount of data loss from "PCI-compliant" companies already. Convincing the auditors that you're secure against a set of rules doesn't seem to be the ideal security solution.

Re:Oh, great .... now, instead of

[cobrausn]

Libertarians are usually nice people. They just assume everyone else is equally nice, and this enables sociopaths to be sociopaths.

Most libertarians aren't for 'no regulation', they just tend to prefer local regulation over state over federal. At least, the sane ones anyway. But the sane ones usually aren't the ones who troll forums arguing about building codes.

I tend to like a bit of liberarianism because it makes sense to have as little government as is necessary and as much freedom as is possible... an admirable goal, but one that needs to avoid being taken to extremes to avoid... well, stupidity.

Re:Oh, great .... now, instead of

[trout007]

Not at all. I have realized a long time ago that everyone is an expert on one thing. What makes them happy. The problem comes in when what makes one person happy is not what another person thinks should make them happy and they are prepared to use force to make them conform. The truth is some people are happier:

Being addicted to drugs rather than living sober
Living in poverty where they have no responsibilities
Hooking up with anything that moves disease be damned
Working a minimum wage job with little responsibilities
Eating like a glutton rather than staying health
Spending like there is no tomorrow rather than saving

There are many people that are happy living lives you find revolting. The truth is it is their life and if they are not harming anyone else they should be free to live that way. You can preach or volunteer you time and money to try to convince them otherwise. But you will not succeed.

The problem is when those that like to control others steal other people's money to try to change people to fit what they think will make them happy. That is the real evil not the person that lives a life you don't like.

Re:Oh, great .... now, instead of

[djdanlib]

Interesting counterpoint. You can't make someone change something they don't want to change - that's a maxim of any social service group out there.

That philosophy sounds good at an individual level. Now consider it on a larger scheme than the individual. Imagine a collective societal unit of lazy/selfish/greedy people voting for whatever they think will most immediately benefit each of them personally. They aren't even considering other members of their group, just themselves. Then we wind up with a political scene full of manipulative, scheming politicians running for the most votes by saying what their staff thinks will be the most popular (perhaps based on focus groups who are asked "Does this feel good? How about this?") and who are equally as selfish, greedy and lazy as their constituency, whose goals are dictated by whoever yells the loudest. That's how we wind up with corruption, which I think everyone can agree is a problem. In order to change that, we have to address the root cause: people don't care enough to strain themselves and think about what they're doing.

I guess my point all along has been... motivate people to consider the good of their neighbors too, and don't take the TV's word for any politician's goals or integrity... they need to do their own research! I might not reach everyone, but if I reach a few people, it will improve the situation for everyone. These things ripple outward.

Re:Oh, great .... now, instead of

[bell.colin]

True, Except some of those on that list expect the rest of us to pay for it. You want to "Live in poverty where they have no responsibilities" then you don't get a dime for it.

Pay for yourself, why should I pay for it?

Re:Oh, great .... now, instead of

"The truth is it is their life and if they are not harming anyone else"

As long as they don't expect publicly subsidized housing, food or medical care.

Re:Oh, great .... now, instead of

[currently_awake]

In a world where everyone is (equally) rich, libertarian works just fine. It's only where you have people rich enough to crush the poor that it doesn't work.

Re:Oh, great .... now, instead of

[eldepeche]

It sounds like you just invented a regulatory process, congratulations.

Of course, regulations based on torts are pretty inefficient (compared to rules made by professionally trained bureaucrats), since legal services cost a lot of money. Imagine a check cashing company with a data breach: all the customers are poor and relatively powerless, so they can collectively hire a lawyer on contingency if they want the company to face consequences. Not much of a deterrent, compared to an automatic review process and a government-issued fine. The same treatment happens if it's a Rolls Royce dealership.

Re:Oh, great .... now, instead of

[WrecklessSandwich]

If they are too dumb to make important decisions what particular magic happens in the voting booth that makes them able to figure out who to vote for?

Sadly, there is no such magic. However, while our implementation of representative government is obviously far from perfect, it still beats every bag of rocks having a direct say in the matter.

There's also an argument there for some sort of Utopian meritocracy where the most intelligent people act as benevolent overlords to protect the bags of rocks from themselves. The hurdle in that case (ignoring the 300lb gorilla that is "Utopian" and all of the assumptions that come with it) is developing a definition of who is fit to rule that is practical, morally defensible, and involves a more scientifically accurate model of intelligence/competence than we have at present.

Re:Oh, great .... now, instead of

[Entrope]

If you think what I described is a regulatory process, you clearly have experience with neither courts nor regulatory processes. Do you think the courts act as a regulatory process for insurance fraud or murder?

"Professionally trained bureaucrats" sounds like a criminal class by definition. They should not make rules for anyone except other career bureaucrats. The rules they make are the products of regulatory capture by some of the companies being regulated: The bureaucrats either need to be taught by those companies, or they come from those companies.

Re:Oh, great .... now, instead of

[trout007]

I also happen to believe from personal experience that you have to suffer in order to change. Anything someone does to relieve your suffering is committing a grave injustice.

Take a drug abuser for example. If they are happy living that way fine. If they are unhappy because they can't keep a job and are broke and homeless it is an injustice to just give them money or a place to live. They need to suffer in order to get to the point where they are serious about stopping and then they can stop on their own.

Re:Oh, great .... now, instead of

[trout007]

Or go back to the Constitution where the government is in charge of protecting life, liberty,and property and nothing else.

Re:Oh, great .... now, instead of

[geekoid]

Wow, you really ahve no clue of the market, do you.

Why would companies disclose there was a problem at all? What about companys where their really isn't an alternative? what about industries where all the players stop caring because it cost money, and hey they don't have anyplace to go.

You do know business used to be run without regulation, right? and people where killed from a variety of things they HAD NO CONTROL OVER.

The is why there is regulations. Please try to understand that. For one of many, many examples see: Robber Barons.

Re:Oh, great .... now, instead of

[geekoid]

YOU faulty premise is that people in Washington aren't smart. Clearly they are. So stopping looking a decision as stupid, instead ask why.

DC has be incredibly successful at creating laws that establish a minimum bar.

Re:Oh, great .... now, instead of

[geekoid]

What do you think regulations are for? to protect life, liberty, and property.

Re:Oh, great .... now, instead of

[geekoid]

what a quaint little 1950's belief.

Re:Oh, great .... now, instead of

[geekoid]

It as moving to a more libertarian for of bank regulation system that cause the financial issue we are having.

Re:Oh, great .... now, instead of

[geekoid]

No, like all regulation, it just sets a min. bar.

The first step is admitting you have Taxation problem

Re:Oh, great .... now, instead of

[eldepeche]

It's not possible under current law, and it would create an avenue for restitution to customers that would serve as a deterrent to certain behavior (lax security practices). I'm using a fairly loose definition of "regulatory process," but instead of the government pursuing action, you would have individuals (presumably after government-mandated disclosure?).

I see no reason to believe the legislation assigning liability for data breaches to companies (contingent on their lack of sufficient security practices, as determined by the court) would get a materially better result than creating a government agency responsible for setting guidelines for acceptable practices and assigning penalties for non-compliance (even potentially in the absence of a data breach). You would require the parties whose data is leaked to take action after they are notified of the breach; I would make such action automatic.

And yeah, government employees are criminals. I'm not going to bother responding to this garbage. Regulatory capture can happen to judges, and there is less ability to review the decisions of judges, who have to rely on the testimony of expert witnesses, who are taught by those companies, or come from those companies. I bet you complain about judicial activism, too.

Re:Oh, great .... now, instead of

[trout007]

Wow thanks for that. Indeed a good laugh. Regulations are the way that large corporations prevent small competitors from competing by setting the legal hurdle so high for entry that nobody tries.

A good example was for along time after prohibition you were not allowed to brew your own beer without a liscense. But since the only way to learn how to brew beer was by doing it to learn the craft it effectively provided a huge barrier to entry that the big beer companies enjoyed. When Carter allowed making small quantities of beer and wine at home for personal consumption people did and got better at it. They go to the
Oint where they decided to start their own micro breweries. This would never have happened if Carter didn't deregulate that market,

Re:Oh, great .... now, instead of

[trout007]

Just because it's quaint doesn't mean it's false. I never knew a friend that at the behest of friends and family turned their life around. It was only after hitting rock bottom and finally wanting to change did they do so.

Re:Oh, great .... now, instead of

[Entrope]

The comment that started the thread explained the reason for doubting that government-created rules would generate good outcomes, but apparently you can't remember that far back.

Re:Oh, great .... now, instead of

[WrecklessSandwich]

I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

I agree wholeheartedly. I think one of the big reasons regulation gets so much hate is poorly implemented regulations giving the broader concept a bad rap. In general terms I think the right way to regulate is to establish minimum standards that give a baseline of what is acceptable behavior. Behavior below that standard is in some way harmful to the public, which is what prompted the creation of regulation in the first place. Regulation should focus on what one should NOT do ("don't poison people's drinking water, through whatever means are required/logical for your situation") as opposed to spelling out specific things that one MUST do in order to be considered compliant. The latter tends to have a higher cost of implementation due to effective alternatives not being considered compliant, as well as having more potential for the regulation just plain not being effective at it's underlying goal: the public welfare. The former reflects a healthy role of government in society: protect its citizens from harm while restricting its citizenry in as few was as possible.

In this case, good regulation would make companies liable for patently bad security practices such as:
-Passwords written down on a post-it note under the keyboard (OK, you obviously can't really regulate this one reliably, but if you could somehow prove it in a negligence lawsuit it would be pretty awesome)
-Failure to install critical security patches in a timely fashion
-Not performing some basic level of testing systems against a simulated attack, especially for attacks that are very easy to perform like SQL injects
-Failure to secure systems in response to previous breaches (Sony servers from various business divisions being hit by SQL injects all over the world over a significant time period)
-Storing things like credit card numbers, passwords, etc in plain text
-Very weak passwords, especially for sensitive logins. Things like passwords being 6 or less characters, all lowercase, password=username, or passwords that are based on easily obtainable information about the user of the account (wife/pet's name, etc)

The following would be bad things to require as part of regulations. They could possibly be published alongside the regulations as recommendations/guidelines, but keep in mind here that the goal is to establish a baseline for what should be considered negligence.
-Use of third party security software from an approved list. These kinds of schemes are bad because a sysadmin could take perfectly reasonable steps to secure systems without using "approved" software (good luck keeping that list up to date anyways), but in the event of a breach they get crucified for not installing Norton Antivirus 2001.
-Although I did mention SQL injects as an example of stupid easy things you shouldn't get hit by, there should be little emphasis on specific vulnerabilities. As we're all quite aware here, technology changes far faster than laws.
-Convoluted requirements about the complexity/periodic changing of passwords. A lot of people on this site have probably worked at *that company* where you have to change your 20+ password every 15 minutes to something you've never used as your password before involving most of the symbols on their keyboard. Yes I'm hyberolizing like there's no tomorrow, but anything in that vein shouldn't be government-mandated.

Unfortunately, I don't have much in the way of purely "bad" examples of existing regulation on hand (Obama's health care reforms requiring the purchase of health insurance is VERY bad, but those reforms also implemented a bunch of good protections that are all rolled up in the same law), but TubeSteak gave some good examples of the right way to implement regul

Re:Oh, great .... now, instead of

[SlippyToad]

Darwinism is not a system. It's anarchy and chaos.

Which is what you would seem to prefer.

Re:Oh, great .... now, instead of

Most libertarians aren't for 'no regulation', they just tend to prefer local regulation over state over federal.

That's not libertarianism, that's federalism. Many libertarians are federalists, and many federalists are libertarians, but there's plenty of each who aren't the other.

Re:Oh, great .... now, instead of

Darwinism only works on large and reproducing populations.
For this method to work there would have to be hundreds of compaines of Sonys size in the same field and new would have to pop up every year.
This is not the case so darwinism does not apply. (This also means that the traditional capitalistic model doesn't apply and can be ignored by Sony, Microsoft and Nintendo.)

Sine the Darwinistic model doesn't apply we have to choose between government intervention and no intervention and I would prefer if Sony didn't dictate the rules.

Re:Oh, great .... now, instead of

[mike1210]

So repealing 17 pages of regulations and replacing them with thousands more is "more libertarian"?

The "financial issue" we are having was caused primarily by affirmative-action lending mandated by the government, not by any "libertarian" policies.

Re:Oh, great .... now, instead of

[lgw]

The first step is admitting you have Taxation problem

Well, sure, we're vastly overtaxed, but given how mush we owe ($130K per taxpayer) we'll have to live with that for a generation or two just to get out from under.

Let's get the government entirely out of the buisness of taking money for the politically disfavored and handing it directly to the politically favored - that's the failure mode of democracy and we're failing fast. Any money the government wants to spend on infrastructure, defence, research, and the like they're welcome to tax from me, but other than defense tha sort of legitimate spending is almost a rounding error.

Re:Oh, great .... now, instead of

[chrisphotonic]

The good news is so are Democrats and Republicans.

Oh- and people as a whole too.

Re:Oh, great .... now, instead of

[chrisphotonic]

I think we need to make the people are are lawmakers know the industry they are trying to regulate. The biggest problem is people that talk a good talk, without knowing how to 'work the trenches'. Confidence plus ignorance is always the worst combination for everyone.

The government taking money in 'fines' doesn't help secure data. The government will just squander the money. Audits yes. Repaying customers yes. Forcing them to be audited by an outside people chosen company yes. We would want the company to put a huge amount of money into the security rather than getting no return by the government adding it to their own coffers. Let's not loose site of the goal.

We need an on-line voting system for many of these new laws, our politicians feel like their here to serve the big companies, and the banks. It's 2011.

Lets get everyone involved on the important issues and have them vote on-line. It's not going to be perfect, the people may get fooled for a while, but its going to be a lot better than someone tempting a senator with a couple million dollars that could cost the tax payer billions.

This would be an issue that everyone should vote on.

Re:Oh, great .... now, instead of

[MightyMartian]

At least their pragmatic... well except the Tea Party, but they're a good example of what happens when you have near-religious adoration of political ideology.

Re:Oh, great .... now, instead of

[eldepeche]

Hm...

http://lmgtfy.com/?q=are+subprime+loans+subject+to+the+CRA

Also: http://consumerist.com/2009/06/affidavits-on-how-wells-fargo-gave-ghetto-loans-to-mud-people.html

Yes, I think we can safely say that the current global economic slowdown was caused by the government forcing everyone to be nice to black people.

This'll go far.

Another set of guidelines. As long as the financial backers of the legislators can water it down enough, all they have to do is follow them and they can't be sued for exposing private data.

If they can't be watered down enough, nothing will happen.

Re:This'll go far.

[blair1q]

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Re:This'll go far.

We work with financial data and PII on a regular basis. These regulations are very real and taken seriously. We have to rip and replace our SAN with hardware that supports encryption at rest. It does not matter that the data is encrypted in transport and that the application that exposes the data is secured with two factor authentication, and access is limited to specific list of IP addresses. It is not good enough that all of the data stored in SQL is encrypted in the database. We also have to encrypt the rest of the data at rest on the SAN. You know, in case someone breaks into the SAS70 certified data center, makes it to our cage and some how manages to get out of there with the 1000+ pound SAN.

Re:This'll go far.

[mewsenews]

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Quite right. This is the exact reason I pipe my customer's information to /dev/null

Re:This'll go far.

[poofmeisterp]

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Quite right. This is the exact reason I pipe my customer's information to /dev/null

Where does your profit come from if you /dev/nullified all of the data?? :>

Re:This'll go far.

Step 2 of course. Duh.

Re:This'll go far.

[Bucky24]

Isn't profit supposed to be step 4?

Specific guidelines?

Something tells me the net result will be a weak set of (designed-by-heavily-lobbied-committee) guidelines that exempts anyone who follows them from any legal action if those guidelines turn out to be not enough.

Suspect

[skelly33]

The article mentions that they would have very specific requirements for the method by which data is protected. Not having seen the specifics, if they get too specific, I would be rather suspicious of the law becoming a barrier to future improvements - what they think of today as being "the right way" to do it doesn't mean it's the ONLY way and could end up being prohibitive based on the architecture of the system in question. I'm just sayin...

Re:Suspect

[n5vb]

Agreed. Legislators in general tend to suck pretty badly at writing law, and an order of magnitude worse at writing code. Even when it doesn't involve crypto or IT security.

(They weren't elected for their ability to apply reasoning to problems, after all. They were elected for being handsome/pretty and/or popular and willing to accept huge campaign contributions from the interests they're at least theoretically supposed to regulate. These attributes are not known to correlate strongly with strong reasoning skills.)

Re:Suspect

[TubeSteak]

Personal Data Protection and Breach Accountability Act of 2011

SEC. 303. ENFORCEMENT.

(a) Civil Penalties-

(1) IN GENERAL- Any business entity that violates the provisions of sections 301 or 302 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation.

(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 301 or 302 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation.

"Stiff" penalties my ass.

SEC. 312. EXEMPTIONS.

(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 311, if--

(1) a risk assessment concludes that--

(A) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the encryption of such information establishing a presumption that no significant risk exists; or

(B) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the rendering of such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, establishing a presumption that no significant risk exists;

Motherfuckers. Breaches of security are just as relevant to the public as loss of data.
My suspicion is that by the time this comes out of committee and works its way to Congress,
it'll be so watered down that private businesses will be clamouring for it to be passed.

Re:Suspect

[TubeSteak]

And this is an associated piece of legislation:
Data Breach Notification Act of 2011
It uses a lot of the same language, but has different dollar penalties attached to breaches.
I haven't really given it a good read-through, but it seems to provide the caps on damages like the other bill

Re:Suspect

[mcl630]

Yes... The best security today will likely be crap security 10 years from now.

Technology at the Speed of Government

Because government agencies are always up to date on their cryptology.

The man

And when the government is said mishandler... does this mean tax refunds?

Another supid piece of legislation.

Re:The man

[stretch0611]

And when the government is said mishandler... does this mean tax refunds?

Yes, but the money will be sent to the person that just stole your social security number.

Re:The man

[poofmeisterp]

And when the government is said mishandler... does this mean tax refunds?

Yes, but the money will be sent to the person that just stole your social security number.

I smell fire or something.... What is that?

BUUUURN! Nice one. :)

A far better policy

[cowwoc2001]

A far better policy would be to require companies to disclose any time their servers are hacked, whether private user data is stolen or not. That would go a long way towards tieing server security to a company's bottom line.

Mandating specific guidelines is a bad idea because the government has no clue when it comes to good security and even if they did guidelines change over time.

Re:A far better policy

[Stormthirst]

Perhaps even mandated compensation paid to the person whose data was lost, depending on what was lost. If it were 'merely' your name and address then that's $5,000. If your telephone number too, then $7,500. If it includes your social security number, then $50,000. Biometrics? $100,000 etc etc etc. If the person concerned can prove that their identity was used in the commissioning of a crime - triple the compensation.

See how quickly companies tighten their security.

Re:A far better policy

[Bucky24]

I suspect that companies would just spend 100,000*number_of_leaks to hide the fact that biometric data was lost.

Re:A far better policy

[Stormthirst]

Perhaps. How many companies would be able to hide that in their SEC filings?

Band Aid

Laws like this are just like putting a band-aid on a gaping gunshot wound. By the time all the lobbyists for any impacted industries are finished carving out exceptions and loopholes to make sure their clients aren't negatively affected, the law won't protect much of anything. In fact, this fed law will effectively neuter any of the more restrictive state laws that cover privacy data handling. What this country really needs is constitutional amendment to bring the US in line with other nations like Brazil that have enshrined the right to privacy in their constitutions.

Re:Band Aid

[kenh]

"What this country really needs is constitutional amendment to bring the US in line with other nations like Brazil that have enshrined the right to privacy in their constitutions"

Privacy is enshrined in our Constitution as well, take a look... Lotta good that does us!

Re:Band Aid

[mark-t]

Not generally speaking. It might possibly be inferred by certain amendments, but the inference is far from conclusive.

Re:Band Aid

[edraven]

If you can post the section of the US Constitution that specifically addresses the right to privacy, I think that would be educational for all of us here.

Re:Band Aid

No, privacy is implied by certain amendments in the Bill of Rights, the Preamble (secure the Blessings of Liberty) and stare decisis. It falls under the "penumbra"of the constitution without being explicitly mentioned.

Re:Band Aid

[sconeu]

The Ninth Amendment.

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Translation: "Even though we didn't explicitly mention Right 'X', you've still got it."

Also the Tenth:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Translation: "If it ain't in here, the Feds can't do it."

Re:Band Aid

Awesome, so you're saying the US Constitution also explicitly guarantees me the inalienable rights to retire a multi-billionaire at the age of 40, teleport at will, and turn invisible. I'ma go right out and exercise my constitutional rights.

Re:Band Aid

You, madam, are a twat. You certainly do have those rights, just as you have the right to put a turnip on your head, eat cow poop, and masturbate with a cheese grater.

Re:are new laws worth complaining about?

[mr1911]

Try harder Mike. Even Dr. Bob is entertaining.

Google?

So, what about Google? Are they going to be fined for not keeping my personal info protected? What? You dont know that your gmail is not protected at all? Just look at all the AD companies that are using your personal info.......

Re:Google?

[jnpcl]

Troll much?

Google is the only Ad company that gets your personal information from Google.

Perhaps you're confusing them with Facebook?

This is a dumbed-down version of HIPPA

[swan5566]

Companies that deal with people's medical information already have to follow a (much) stricter regulation - ones that can potentially carry criminal sentences. And even stricter still are companies that carry classified information.

Use "certified" firms or be arrested

[Kohath]

These types of government regulations always turn out like this:

- Businesses are forced to use "certified" firms as contractors or auditors
- "Certified" firms are politically-connected firms with Washington lobbyists on their payroll
- Government agencies get created to police whatever is regulated in the law
- "Certified" firms work with the agencies to make sure certification is exclusive so they can charge above-market rates (rent seeking)
- Executives at "certified" firms contribute to Richard Blumenthal's re-election campaign.
- Small startup firms are kept out
- Innocent business operators are raided by regulating agencies, even though they never had a security breach.
- Security breaches and private data compromises continue despite government regulation
- There are fewer jobs for everyone handling private data, and there are fewer choices of services.
- Everyone wonders why we have high unemployment and private data breaches.
- People propose deregulating so we can have our freedom back.
- Someone comes up with the private-data equivalent of "think of the children!!!!"

- Time passes. Another hundred such regulatory regimes get added for every facet of life. Life steadily gets worse for everyone who isn't politically connected.

Re:Use "certified" firms or be arrested

[interval1066]

Yes, I think that's exactly how it works...

Re:Use "certified" firms or be arrested

[DNS-and-BIND]

Fuck you, teabagger. Less government is NEVER the solution.

Re:Use "certified" firms or be arrested

[netwarerip]

The GLBA ( http://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act ) is this type of gov't regulation and has none of the issues that you have brought up, with the exception of the gov't agency that is required to police (audit) companies bound by it. But the GLBA didn't create those agencies, just granted them a standard set of rules and the power to enforce them. If anything it has created more jobs, rather then reducing them. Granted, many of the jobs are filled by auditors, and imo there are few lower lifeforms on the planet, but they still fill jobs. The issue with it is that when there are auditors there are bound to be varied interpretations of the law, and the standard bias that goes along with it. I went thru 3-4 audits a year at 3 different community banks over a 10 year span and no 2 audits were alike. What the Feds wanted the State didn't care about. What the OCC wanted the FDIC disagreed with. One group had me remove overhead sprinklers from the 'data center' and the next group wrote me up for not having fire suppression in the data center. The standard requires 'encryption' but I didn't have a single bit of customer info encrypted until the last year at the last bank. I did, however, get written up for not having a written log to track the changing of smoke detector batteries.

Re:Use "certified" firms or be arrested

After taking a breath I realized you were being sarcastic...it's a sad statement about modern politics, that your response sounds real.

Re:Use "certified" firms or be arrested

Such infallible logic. You must be a member of this new generation of 'progressives' that doesn't have an actual clue how to actually argue or debate an issue and can't stand it when something that isn't leftist/statist gets through the echo chamber they carefully cultivate. Kindly step away from the keyboard, please.

What I find funny is that one of Marx's critiques of capitalism is exactly this - it eventually becomes 'State Capitalism'. I'm sure in the fantasy land of your mind, every government regulation has some kind of obvious and immediate gain for 'the people', as long as it was written by a democrat. Since corporations are people now too, maybe you're right, it's just not that it's for 'the people' as much as it is for 'specific, very rich people'.

Regulation is a tool. Tools can be used incorrectly. An example of this is how your perfectly innocent keyboard was used to type the vitriolic absolute nonsense I'm responding to.

Re:Use "certified" firms or be arrested

[geekoid]

Except history show that that seldom happens. When it does it doesn't last long before getting shot down.

But hey, keep making up shit. I mean, otherwise you would have to actually read and learn, and that would interrupt you wankery.

Re:Use "certified" firms or be arrested

You're missing the last steps. Let me FTFY

- Our power structure becomes too bloated to be the Guardian of the Universe
- People get tired of taxing and restrictions
- Large internal political changes are made. (in extreme cases, coup or revolution)
- Rinse and repeat

Not about protecting data, it's about protecting c

[kenh]

Data will leak, period. You can work really, really hard to make sure it doesn't, but eventually it will leak.

Increased security only makes it harder, not impossible, and when the data does leak, the companies will be immune from prosecution, since they did everything they were required to do.

Stiff fines my ass...

[Overzeetop]

Put the corporate officers in jail - make the minimum sentence mandatory. It needn't be long. Hold people in power responsible and you'll see action.

Business will make a value judgment based on the cost - $5,000,000 potential fine or $300,000 in IT changes means it happens. $5,000,000 fine or $3,000,000 in IT changes and all of a sudden it's not so clear cut. CEO and CIO guaranteed to get 6 months to 5 years in a federal pen for non-compliance and that IT change could cost $30,000,000 and it would be item number one on every single board meeting agenda until the transition is complete.

Re:Stiff fines my ass...

[Kohath]

So any low level employee with access to data can "accidentally" cause a security breach and get the executives put in prison. Justice!

Re:Stiff fines my ass...

[ortholattice]

What I think needs to happen is for fines to be based on a percent of income or assets rather than a fixed dollar amount. (I think some countries do this for speeding fines). Only then will it a proper disincentive for wealthy people, as opposed to just being a minor inconvenience as a "cost of doing business". In fact, make the percentage "progressive", like income tax, so the wealthier you are, the higher the percentage: fining a a poor person 50% of their assets would cause them hardship, whereas fining a billionaire 50% of their assets would hardly affect their lifestyle at all. I think the prospect of a billionaire losing 98% of their assets (and being left with "only" 20 million) would be a far greater deterrent than spending 6 months in a country-club prison.

Re:Stiff fines my ass...

You and I know full well there won't be any Board members serving a minute of time. Like every other industry to date, it is seldom the 'decision makers' who are held responsible. It is the peons at the bottom doing that actual work that get the jail time, hard and heavy. You really think IT security is going to be any different? There is the whole, 'we run your services and can access your email' aspect of the equation, but all things being equal, lowest man on the totem pole is gonna get thrown under the bus.

Legislating that ONLY Board members can be held responsible, since they're responsible for decisions being implemented... now that has a nice sound to it.

In reality, following the trail for a breach and assigning blame is a slippery slope. I can't imagine, with coming legislation like this, those Corporate environments are going to get any easier to work for.

Personally, I work for the state, and we have our own hellish checklist to manage. Thankfully though, I don't deal with too much personal information.

Re:Stiff fines my ass...

[Bucky24]

This isn't going to work at all. First off, its the corporation itself that is responsible for the loss of data. This is inherent in how corporations exist, to protect those who work for them from being sued/put in jail for the actions of the company. Second, as someone has already said below, someone in IT who doesn't like the CEO will just leak data on purpose.

Re:Stiff fines my ass...

[rlglende]

Even if it could work for any period of time, how will you get it passed? The lobbyists will outspend you 1000s to 1. The corporate media will shape their message. Campaign contributions will make sure lobbyists 'have access' to present their arguments.

Money buys power. You can't outspend the rich guys, so this is fantasy.

Re:Stiff fines my ass...

The action that you shall see, if you do something like that, is putting puppets to power and even more stupid CEOs/CIOs would evolve, because nobody with any sense would want that kind of responsibility.

Which one costs more?

[Kozz]

Unless the "stiff fines" cost the company even more than the implementation of storage guidelines, why would they bother? When laws against corporations hit only their pocketbooks (say the cost of a few weeks' worth of hookers and blow for the CEO), they frequently don't have any teeth.

Re:Which one costs more?

[stretch0611]

In addition, They will need to hold companies accountable when their offshore data center gets breached.

Without this I see all the giant US companies saying that they are not responsible because the outsourcing firm did not store your data properly. And sorry, but the outsourcing firm is not a US entity and not subject to US law.

Re:Which one costs more?

[MightyMartian]

Perhaps they should add "And the CIO will be ass-raped for the rest of his days..."

Re:Which one costs more?

In an Agile corporation, the hookers don't have any teeth, but blow.

Re:Which one costs more?

Promises, promises

Money buys power.

[rlglende]

Who do you think is asking for the rules? The same stupid corporations who can't ever provide decent security, of course.

Before the rules are settled, companies will be immune to lawsuits from mere plebians who are injured by their screwups.

Money buys power, so you can be sure this will be included in any rules.

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

The market, which has a bad rep in the progressive mind relative to gov-imposed solutions, should be appreciated among Slashdot's technical audience, as it represents a scalable parallel search algorithm for solutions that bother customers.

Fortunately, we can depend on basic system dynamics to assure us there will be an end to all of this : Power has a strong, inherent positive feedback --> the more power you have, the easier it is to get more. Un-restrained positive feedback systems always destroy the system.

Re:Money buys power.

[rlglende]

The FDA is NOW responsible etc.

Re:Money buys power.

[eldepeche]

Since the FDA is responsible for approving drugs for sale in the US, they are responsible if people die of treatable diseases elsewhere.

Therefore, we shouldn't worry about companies storing their customers' personal information unencrypted on a laptop they leave in their car in plain sight, because the market.

Re:Money buys power.

[poofmeisterp]

Who do you think is asking for the rules?...

Probably someone (Senator Richard Blumenthal) who got screwed over. Now, instead of "caring" and "listening to the concerns" of those involved, he will actually act.

Just a hunch here... Just a hunch.

Re:Money buys power.

[rlglende]

Most legislation begins as a method of soliciting campaign donations.

In any case, how does this disprove "money buys power" and the consequences thereof?

The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

Re:Money buys power.

[TubeSteak]

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

What a logical clusterfuck.
Regulations NEVER work?
Is your drinking water clean? Is there lead in your paint? Is melamine used as a filler in your food products?
Did you have to work 12 hour days in an unsafe factory starting at the age of 8?

Your question is just another version of "What have the Romans ever done for us?"
The answer is "a lot" and whoever modded you up should be ashamed of themselves.

Re:Money buys power.

[poofmeisterp]

Most legislation begins as a method of soliciting campaign donations.

You are so correct on that one, my friend. I concede, completely.

The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

I understand you here and my mind agrees from every angle, but I'm not sure how you got on it. What did I miss?

Re:Money buys power.

[rlglende]

And these statements relate to 'money buys power', and the consequences thereof, how?

The US's drug industry develops more than half of the drugs in the world. The first thing they tell you in a drug development course is that no drug can be considered unless it has a $2B/year market because it takes $500M - $1B to get a drug to market, averaged over all of the efforts.

Thus, a very low rate of new drug development despite the rapid decrease in the costs (10 cents / drug, 10 years ago when last I looked at this) and increase in speed of screening drugs against targets. Thus, 'orphan drugs' for diseases that do not have that large a market. Thus the problem that bacteria are evolving faster than new broad-spectrum antibiotics can be developed. Thus the extremely high prices for drugs. Thus the 1000 drugs that European MDs can use, but not US MDs.

Currently, if a mere peon can show that he has been damaged by a security breach, that mere peon can sue, tho there is a high hurdle in connecting damages to the breach. After these regulations, that mere peon will not be able to sue unless he can show both the connection to his damages and that the company did not follow the rules, a much bigger problem. The lobbyists will ensure this, attempt to limit class actions, ...

This is how most of the regulatory bodies work : company follows agency rules, is immune to lawsuits.

It is universal that regulators become incestuous with regulatees, that regulations limit competition, work for the regulatees. Money buys power.

I note that nobody has accepted the challenge of providing an example of a set of regulations that work.

Re:Money buys power.

Name a set of regulations that work.

Glass-Steagall. Part of it was repealed in 1980 which was followed by massive bank failures, the rest was repealed in 1999, when the banks rode the bubble for almost 10 years before massive bank failures.

FDA - Your food is a lot safer now than it was before the FDA.

Building codes - I'm pretty sure anywhere earthquake prone is glad for these.
Water. Safety. Road building. Engineering. Doctors. Lawyers. All have regulations that work.

There are hundreds of other examples - look around.

Provide an economic evaluation of their consequences vs 'market solutions'.

I'm not your student, why should I do homework for you? You're the one making the ridiculous claim ("regulations NEVER work"), you're the one who needs proof.

Re:Money buys power.

[trout007]

If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope. You drinking water is only clean enough to pass regulations. But many people aren't satisfied by this hence the market for water filters. So it's pretty obvious there are companies out there trying to provide products that people want because the regulations aren't doing it,

Lead was used in paint for a very long time. Only when it was shown to cause problems did people want it out of their paint. Sure a regulation was assed but the market wasn't there for it anymore anyway.

Do you really think parents were mean and cruel 100 years ago when they had their kids work in factories? Before the industrial revolution kids worked in the field just to feed the family and many died at early ages as a result. Factories even dangerous ones were a step up. Only when productivity rose to the point where most people could just survive on the parents income did it even enter people's mind that kids shouldn't work. The regulations just followed that natural progression.

Re:Money buys power.

[PoopCat]

If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope.

One word: cigarettes.

Re:Money buys power.

[eldepeche]

The acid rain program in the 1990 clean air act set maximum levels of sulfur emissions, set per-coal-burning-unit targets and provided an incentive for reductions beyond that target (tradable emission credits). Emissions were successfully reduced, starting with the units where it was most economical to do so.

I don't think anyone said that regulations don't have unintended consequences. They move the equilibrium to a place deemed more socially beneficial. The FDA makes medicine more expensive, but it also forces manufacturers to disclose the ingredients (so you can tell if you're allergic or don't want to pump your coughing kid full of cocaine) and side effects and ensures that drugs are reasonably safe.

(Of course there are hundreds of reasons why health care is more expensive in the US than Europe, and none of them are "way more prescription drugs in Europe," nor have I ever heard a libertarian talk about how European health care is great because it is free of regulation.)

Re:Money buys power.

[trout007]

Right, because companies invented smoking tobacco. People love smoking for whatever reason and companies exist to serve them. Or we can ban it like other drugs like weed and heroine. That way nobody can use it and life will be all better. Oh wait that isn't working out either.

Re:Money buys power.

[Bucky24]

Smoking tobacco by itself in its natural form is not as hazardous as smoking the tobacco you buy in a store. Tons of chemicals get put into it (for what reason I have no idea) by the manufacturer. Companies did not invent smoking tobacco, but they made it more unhealthy and widespread. Just like McDonalds didn't invent unhealthy food that makes you overweight, but they certainly made it a lot easier to get and a lot more fattening that it was before (since that's what makes it taste good).

Re:Money buys power.

[eldepeche]

Replace "intentionally" with "negligently" and you won't be far from the truth.

The regulations help ensure that tap water won't kill anybody. I think that's a pretty reasonable floor for water quality. The fact that some people are willing to pay for slightly cleaner water does not mean that everybody else should be subjected to unsafe water, necessitating further filtration.

Lead was used in paint for a lot of reasons: drying time, color duration &c. Making paint without lead meant it was more expensive to get the same quality. Without regulations, it might still be sold, but only to poor people.

Companies, by and large, only stop doing bad things when it become profitable to stop. Regulations serve to make it more expensive to behave badly.

Re:Money buys power.

[trout007]

Well there are organic tobacco products on the market but they don't have a big share of the market. Why? Because people like the taste of the stuff they add. They also add stuff to keep it burning. I don't smoke so I have no idea why. All I know is people like it. I dont mind the government doing studies and warning people but if people know the facts and choose to take the risk I say let them.

Re:Money buys power.

[Bucky24]

Yes, I know, just like people like the taste of a McDonalds burger. I didn't say there was no reason people enjoy the tobacco.

Re:Money buys power.

[rlglende]

How does Glass-Steagall argue against 'money buys power'?. I said that regulations never work. Glass-Steagall may have 'worked' once, at unknown cost to the economy in both expenses and opportunity costs, but it is certainly no longer a problem for the industry. When the banks saw the opportunity for new kinds of trades and making $ by trading on Wall Street, regulations were adjusted to suit their new opportunities.

No, I don't think the FDA makes safer food. In fact, food would be safer if we could sue the companies that feed us mad cow brains (FDA stopped companies from testing every cow, FDA regulations were carefully crafted NOT to find cases), Listeria regs were careful not to be really clean, e.g. http://www.listeriablog.com/listeria-watch/fda-issues-new-listeria-guidance-for-industry/, and on and on and on. The regulatees get the regulations they want.

If you don't like 'money buys power', please explain how you are going to buy more power than the large corporations and very rich oligarchs. Otherwise, eat the contaminated food, do without the drugs, hope that our corporations are a hell of a lot more responsible than, for example Japanese power companies and their incestuous regulators. Oh, yes. US nuclear power companies have strict limits on their liability. They needed those regulations.

There are indeed all of the regulations you mention. Indeed, many things work. But every example you provide for private industry is a cartel that carefully crafts the regulations to remove competition and maximize their profits. Also, the cost in time and effort to change, for example, designs to improve road safety, are long delayed by the regulatory agencies. Listeria, for example, wasn't regulated until 2008, although it was a known, and increasing, food safety issue since bacteriology came into being. Green movements are continuously suing the EPA. Google for 'law suit FDA food' produces 11.8M links.

Regulations can't accomplish many important goals. For example, the difference in mortality due to between best and worst hospitals is 2X. Between the best surgeons and average surgeon, 10X for morbidity and mortality -- think what the lower rung of surgeons do to people. All are equally regulated.

If you adjust your definition of 'works' to mean 'accomplishes its goal at unknown, but very high, cost and with significant side-effects and perverse consequences', sure. I can make anything work with that definition, and get rich doing so.

There are likewise 100s of studies showing that gov costs 4X to provide services compared to private industry and 100s of industries that work with minimal regulations to speak of. A favorite example is building steam boilers. Those are low-cost industries, as compared to the ones you mention.

Money buys power. Therefore, all power is eventually corrupted. Therefore regulations can't possibly work.

Re:Money buys power.

[geekoid]

What about the people who don't take the risk but are still effected?

Re:Money buys power.

[jmactacular]

Good points. Interesting discussion going here!

Re:Money buys power.

Where was the massive outbreak of mad cow disease in this country? What weird planet do you live on that there aren't any variation in good and bad things such as hospitals and surgeons? Do you really think we should raise the bar so that only the top 10% should practice medicine? How long do you want to have to wait to get that appendix taken care of?

Take away that regulation that says doctors have to go to medical school. See how that works out for you when you get sick.
Remove those building codes from California. Let's have building collapses on a massive scale for the next quake.
Let's get rid of the FDA. You can simulate this by going to Mexico and drinking the water.
No regulations on building bridges. You be the first one to drive a big truck over it, OK?

Regulations are necessary. If you can't see this, you're ignoring facts.

Regulations are mainly in place because private industry WAS doing unconscionable things to lower their own costs and increase their profits. You don't know anything about history if you don't know that.

You have not mentioned ONE failed regulation. You've mentioned a bunch of super narrow, isolated cases ignoring the 99.99% of cases that regulation has helped immensely. FDA has saved thousands of times more lives than any example you can give of them harming.

Regulations do, and have, worked. Your examples are like saying that since I got scratched by a cat and are bleeding, my skin does not work.

Your logic fails, since money is not the ONLY thing that will get you power, all power is NOT eventually corrupted. You have provided zero proof of your claim 'regulations can't possibly work".

Your Google search also fails. If you google 'law suit FDA food', you get 11.8M links, because it doesn't matter where those terms appear on the page, they don't have to be in consecutive sentences. If you google "lawsuit against FDA" you get 79,700 links, almost all of them companies suing the FDA.

Re:Money buys power.

[hrvatska]

Regulations eliminating lead in house paint and on toys were certainly a good thing and well worth the costs. The clean water act and its attendant regulations have been responsible for a great deal of the improved water quality in the US. The benefits of the clean air act far exceed its costs. Sulfur dioxide emissions declined 40 percent as a result of the Clean Air Act, nitrogen oxide 30 percent; volatile organic compounds 45 percent; carbon monoxide 50 percent, particulate matter by 75 percent; and lead by 99 percent. These reductions led to corresponding reductions in byproducts such as ground-level ozone and the sulfates and nitric acids that contribute to acid rain. Everyone who would like to live with Beijing's air quality raise their hands. To be fair to China, Beijing's air quality, while it has a way to go to be as good as Los Angeles, has been improving due to government regulation. Toy regulations produced by the CPSC have greatly increased the safety of children's toys. And speaking of the CSPC and children, regulations regarding cribs have improved cribs and saved children's lives. Mine safety regulations have resulted in much safer mines. Childhood labor laws have benefited children. Restaurant hygiene regulations safe guard the public health. Regulations requiring childhood immunizations have greatly reduced the toll of a number of diseases. The list goes on and on.

Re:Money buys power.

[rlglende]

So you claim only areas that are getting regulated improve, and that there is a dose-response relationship, so the more regulation the faster improvement?

You can't support that, of course.

If it is another argument, please explicate.

You also didn't deal with 'money buys power' or the implications thereof.

Re:Money buys power.

[rlglende]

You are quite wrong about that. Glass-Steagall was a fine example of a failed regulation : when it became inconvenient, the industry changed it.

Actually, given the incubation period of JCvariant / 'mad cow disease', we can't be sure we aren't having a massive outbreak. I believe there is still no test for people. The FDA only found 2 cases, but their methods were intended not to find them. Look at the case in the Seattle area, guy who, by happenstance, killed a cow outside of the standard area and that triggered the test, not the fact that she was obviously older and had serious problems of coordination. He said the regs were obviously intended to avoid finding the disease.

MDs are one part of several cartels. Foreign-trained MDs basically have to go through the entire training program again, so rarely are able to. I know a good number of these people, very fine physicians in their own countries who are now doing echocardiograms, ... Thus the price of medical care is kept high. The various associations of MDs have always controlled the number and size of medical schools. They control the medical boards, state regulatory boards, ... They deal very severely with people who try to innovate == compete with more advanced treatment, have driven the best physician I ever had out of the business.

Yes, govs, corporations and individuals in the past were less concerned with the value of human lives than now. We fixed that with stricter legal liability, basically took the power from the gov that protected them. We did regulations too. Which ones were the cause of the changed behavior?

The Bush-Obama administration is an existential proof that this power is corrupted absolutely. The various bailouts show the same for most govs in Europe, also. We can imagine a time in the past when that wasn't true, paradise is always in the past, but detailed history says this happens a lot.

Name a regulatory agency whose high level administrators don't retire to industry. Name a regulated industry that doesn't spend $Ms on lobbying. Name a legislator who doesn't get campaign contributions from regulated industries. Sure regulations work. Of course regulators and gov offiials and elected officals are not corrupted by money. Which is why Big Pharma doesn't have to worry about European drugs competing with their American drugs, and on and on. None of which examples you have dealt with.

You are quite right about my claim via Google. I am very sorry, sloppy on my part.

There have, however, been a lot of recent lawsuits against the FDA seeking to avoid various levels of testing so that near-death patients could get the drugs. The FDA has won, you have no right to take risks with your health, even when near death. Compassionate of them and a fine example of a successful regulation, minor side-effects. An example repeated with every cancer patient, many heart failure patients ... for all of the drugs in the 10-year-long pipeline. And agin for the off-label uses of drugs which the FDA does its best to restrict. All of the deaths from cigarettes must be charged to the FDA, btw, because for 60+ of the 65 years during which there was good evidence of smoking causing cancer, the FDA prevented effective means of administering nicotine, e.g. smokeless cigarettes. It was a drug, you see, addictive.

Give it up. This model of government has definitively failed.

Re:Money buys power.

[lonecrow]

Lead was used in paint for a very long time. Only when it was shown to cause problems did people want it out of their paint. Sure a regulation was assed but the market wasn't there for it anymore anyway.

And thanks to labeling laws you knew which paint had lead and which didn't. And if it said it didn't but did, there was a regulation that punished that company and forced them to recall their product. Written Laws (regulation) have been a rather good invention. I say we keep it.

Re:Money buys power.

[TubeSteak]

So you claim only areas that are getting regulated improve, and that there is a dose-response relationship, so the more regulation the faster improvement?

I said no such thing.
All I did was point out the gaping hole in your logic.
"Regulations never work" is an ignorant thing to say and you're an ignorant person for saying it.

There's no point in having a conversation with someone whose basic premise is that regulations don't work. They do.
They're not perfect, they can be manipulated, they can even backfire, but they're better than not having regulations at all.

You also didn't deal with 'money buys power' or the implications thereof.

The alternative to money manipulating regulations (money buys power) is not a capitalistic laissez faire utopia.
It's just more money buying power, but without any chance for the consumer's interests to be considered.

You could stand to read about the history of the US labor movement and US regulatory agencies.

Re:Money buys power.

Define what you mean by regulations working. Do you insist on perfection? We don't live in a perfect world.

HIPAA works. It has helped our society realize our personal information is worth protecting. It is not perfect, but it does work to bring incremental change that improves the security of our personal information. Without regulation, explain to me how entire industries will do the right thing as opposed to making easier choices on the way to the bank.

Re:Money buys power.

So we're in the middle of a massive invisible outbreak of Mad Cow Disease? Why not claim time travelers at this point, you have no proof of this at all. Zero. None. Just your insane conspiracy theory.

Foreign doctors have to undergo more training here? Horrors. Evil. Obviously another conspiracy.

"We fixed that with stricter legal liability." No, we fixed that by regulating the industry. You can still sue regulated industries. There are extremely rare cases where you cannot, but those do not affect the vast, vast majority.

I'm not dealing with your crazy examples because they DO NOT REPRESENT 99.9% OF CASES. You're ignoring the 99.9% to focus on the vast minority, and stating that proves the other 99.9% invalid. That is insanity.

You don't understand anything about science or medicine with your rant about the FDA. Or about legal liability, either - remove the FDA testing and every single drug company would have been sued out of existence a long time ago for selling drugs which didn't make it to market because the FDA testing found them dangerous. Personally, I like living in a world where new medicines are developed. You like living in a fantasy land where "wait for the lawsuit after people die" is a superior solution.

You stated the regulations cannot work. You are clearly, absolutely and completely wrong in that.

Re:Money buys power.

[Jaxoreth]

Your question is just another version of "What have the Romans ever done for us?" The answer is "a lot" and whoever modded you up should be ashamed of themselves.

No, "a lot" is the answer to a different question.

Re:Money buys power.

[blair1q]

Just an n.b. because I looked it up because "melamine used as a filler" sounded odd because it'd be a really expensive filler:

It isn't used as a filler, it's used to jack up the score on the protein-counting test (which is really a nitrogen-counting test and therefore exploitable) and pretend the food has more protein than it does. A little melamine looks like a lot of protein.

So it's an adulterant rather than a filler.

The more you know.

Re:Money buys power.

[blair1q]

>If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope.

Have you ever thought about what those cigarette company executives were thinking after they found out (in the nineteen-fucking-thirties) that they were selling sticks of poison?

The only reason companies don't intentionally kill people is because of laws that would stop them from profiting from it. Absent those laws, killing you is a profit center and therefore a company will be formed to exploit it.

Re:Money buys power.

[PoopCat]

Do the cigarette companies introduce chemicals into their products that increase the addictivity of their products, in order to keep people smoking? They sure do. Do these same chemicals increase the risk of death or serious illness? That's a big yes. Are they prevented from doing even MORE to increase said addictivity, or to market their products to new customers, out of the goodness of their hearts? My money's on no.

Your reply is disingenuous and specious, and you know it.

Companies you do business with?

[black+soap]

Does this only apply to companies that you do business/interact with, or will this apply to all the companies that keep data about you, including your social security number, for sale to anyone? Are those data-mining companies affected at all?

news flash: Sony is not a US company

Why is it that Americans always think it's OK to force their laws on everybody else?

what about the government?

[Charliemopps]

What happens when the feds violate these rules? Nothing? That's what I figured.

I'd much rather have my banking info stolen by Russian mobsters than by the NSA. One will, at most, clean out the account. The other rendition me to the middle of Africa because I bought the wrong kind of rug in the duty free shop while on layover in Istanbul.

We all know

[shoehornjob]

that corporate interests will find some way to either defeat the proposed bill or change the punishment to a slap on the wrist. I'm guessing that someone hasn't paid this guy off recently and he's getting bitchy about it.

How Many Are Preventable?

[Zamphatta]

Just from a server admin's POV, 98% is preventable. That's taking into account that a hardware or software bug that is out of the admin's control, becomes a crazy zero day flaw. I could teach my grandma to secure a server so it never has data breaches. It's really not that hard.... (1) Always install the patches. SONY didn't patch, DigiNotar didn't patch, etc. (2) Always encrypt the user's password in the DB field. SONY stored them in plaintext! (3) Admin password should never be the default one. (4) Don't use Windows. Use Linux, *BSD, or something else with a good solid reputation of great security (and for a lot less money too!). ........just following those four concepts, will give you great start on security even if you don't know what you're doing. Most /.er's already know all that, but hey, somebody's gotta spell it out for the newbies.

Great idea, but...

[Xenkar]

I think it would be better if we just made it so that lenders themselves are liable for any bank fraud that gets through due to insufficient identity verification.

Identity theft doesn't exist. Instead banks are being robbed and they are making victims out of their customers.

If a person notices that some bank let somebody else open up a line of credit in said person's name, said person just needs to say "I did not open this line of credit." It would then be up to the bank to prove otherwise. The bank should also be liable to damages to a person's credit rating if the banks ruins it because of their lapse of judgment.

This bill may be partially good, partially bad

[MobyDisk]

We haven't seen the bill, so it is a bit early to tell. However, it sounds to me to be half-good and half-bad:

From the article:

The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches

Punishing entities for crimes is good, and within the purview of government. But I am not sure the government can do a good job of telling them how to secure their data.

These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly

The real problem with telling them *how* to do it is that when they do those things, but still get hacked, they can that they followed the regulations so they are innocent. This happens in other highly-regulated fields, and it does make sense to some degree. But this is a field that changes rapidly and is very technical. They can say that the data must be "encrypted" but that is too vague. Or they can say "encrypted with 1024 bit encryption" which is still vague, and does no good in 2 years when every smart phone can break that encryption. On top of it all, you create yet another government regulatory agency.

Ultimately, I am excited about this bill since I have been clamoring for something like this for many years.

Sloppy lawyer bait.

I took some time to read through the text of the bill at opencongress.org. I'm not a lawyer, but the bill looks sloppy. It makes definitions that aren't actually used (maybe this is for the benefit of modify other legislation?). The bill sets up a commission to perform audits of private systems without nailing down what are the requirements for due diligence.

As a DBA with an interest in security, I'm not so sure that this is going to be worth the effort. Most thefts of personal information that I've read into came in as authenticated users which would bypass file and transmission encryption anyway. The notification parts of the bill are probably a good idea, but there was an article today about Stanford Hospital that had an open leak for a year. Would people be prosecuted or be held liable in that scenario? Should they be? Should the vendors? The people causing these losses aren't even addressed in this legislation as far as I can see. That's the really bad part.

I believe that this bill is only providing employment to trial lawyers.

Make the Fines Meaningful

[Jerrry]

The problem with legislation of this sort is that the fines imposed are ludicrously small compared to the revenue of the companies being fined.

If I were fined for, say, exceeding the speed limit at the same ratio to my income as most fines imposed on companies, then the fine would be something like $0.05. Hardly a disincentive at all.

Looks like a nice win for big government

Brief Summary:
1) Create another new Federal Agency (Privacy Policy Office) because none of the existing 100,00+ federal agencies can handle writing the new regulations.
2) The F.T.C gets the authority to enface the regulations; that is, the F.T.C. will now have some authority over internet actives.
3) Government agencies will be exempt from the new regulations.

Looks like a nice win for big government.

Everything I do is Performance Art

rights to redistribute are not granted

Bull

Let me see if I understand this. A company gets hacked and my personal information is not stored encrypted, so it ends up costing ME money, so that company gets fined where they end up paying money to the Government?

What's wrong with this picture?

Sounds more like a free pass for sloppy security

[SirGarlon]

So let me get this straight: if the company fails to meet the guidelines, and the data leaks, consumers can sue. Can't they already? I fail to see how the consumer gains anything from this. And as others have pointed out, if a company does meet these proposed federal guidelines, and the data still leaks, it sounds like they'd be indemnified.

All I see coming out of this is another costly, compliance-oriented set of regulations that place a burden on companies and at the same time deny citizens their right to hold data stewards accountable through the courts. Sounds like a lose-lose to me.

A compliance-based checklist, "thou shalt do X" has all sorts of problems that basically boil down to putting incentives on bad security. Frankly I think mandatory disclosure of data breaches is more effective, because that way the company is held accountable no matter how the breach occurred.

More Work For Everyone Who Works for a Company

When the company I work for was recently acquired by a publicly traded company, I spent a few minutes connecting to my e-mail account on my phone, and about ten minutes later I removed it. Why? Because the e-mail account required me to use a locking pin number. Which locks every 5 minutes. Why? Apparently because of some federal rule or law for protecting private information in corporate e-mail. Thing is I have no private information in my e-mail account, I write desktop software. All I have in my e-mail account is bug reports and pleadings from my manager to meet deadlines. There is literally nothing in my e-mail I wouldn't relay to you if you asked. Thankfully, it's my phone so I can take it off, but now my manager never knows when I might read my e-mail on my desktop machine.

So you guys can cheerlead some grandstanding politician sticking it to the man, when all you are doing is filling the world with ridiculous butt covering procedures which make the working guy's life just a little less flexible.

While we're at it...

...why don't we ban the use of SSNs for anything other than as a personal UUID for government programs? Why don't we ban the sort of data sharing and selling that lets "credit scores" exist? Why don't we charge CEOs who refuse to pay for adequate security with conspiracy to commit fraud and identity theft? Seriously, let's not pussy out here.

Data Retention Laws

[CrimsonAvenger]

Is this going to turn out to be like the data retention laws, which managed to metamorphose into rules mandating destruction of data?

Someone high up the ladder

-must have had their data compromised or their daughter's or son's.. The mishandling of consumer data has going on for years. This is a joke.

Corporate Anarchy

[MickyTheIdiot]

As we see in this thread, we have an idea that corporate anarchy will solve anything.

I bet we're going to have a data event at some point that is going to equal 9/11 in importance before anything gets done, and then it will be some kneejerk reaction like the Patriot Act. We're totally screwed up in this country and at some point someone is going to decide that it's time for creative destruction... and that's scary.

What happens when...

it is a government agency that is found to improperly handle private data?

Re:Sounds more like a free pass for sloppy securit

[the+eric+conspiracy]

Crikey this is exactly the opposite of how it should work. I don't give a rats ass what tech they use, and in fact specifying a tech makes your data less secure because once that is cracked somebody will put together a kit i.e. US Data Security Law CR14-23 Canopener.

What is needed is very simple. Corporate Officers must sign a document "we didn't have any leaks last year". If they don't sign or it turns out to be a lie, 5 years in Federal Prison + reimbursement of damages paid out by court assigned special master.

What??

[Dunge]

You mean, it's currently not punished? WHAT?

More compliance bullshit

I already have a bunch of extra work thanks to the government. They want to give me more? And you think the company's going to hire another guy to handle the extra stuff I don't get done because of the federally-mandated junk?

Already in Europe

[paugq]

This kind of legislation has been in place in Europe for at least 20 years now.

I don't know the specifics of the proposed US law but in Europe:

• It has not promoted outsourcing, off-shoring, or anything like that. The law here is very picky on that: if you want to collect data from your customers, you take care of it, you cannot outsource that to some other company to avoid law.
• In fact, you cannot sell, loan or transfer personal data to any third party without getting explicit acceptance from the individuals affected
• In every company there is a person (physical person) responsible for each data "file" (i. e. a database with personal data). The company is only accountable for money but that guy is accountable for criminal offenses.
• Fines are pretty hefty. In my country, from 600 EUR (a very very very dumb issue, like publishing your name + ID card number in a report card) to 600,000 EUR (for some serious trespassing, like selling data to a third party).
• As a consequence, companies are careful and even the smallest ones they take some minimum security measures.

Re:Already in Europe

And yet the laws are mostly ignored, and the authorities very rarely fine anyone (in the UK at least).

Re:Already in Europe

[sleiper]

Yes the Data Protection Act 1998 in the UK holds companied accountable for not securing data correctly. Broad principles are below: 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Two concerns and a conclusion

Will it actually help protect people's information?
Will it do anything about the masses of data collection and sharing?

They'll simply declare all breaches to be a new dynamic approach to sharing resources in a synergistic partnershuip with numerous small business...

We've got one too

[courcoul]

FYI, Mexico passed the "LEY FEDERAL DE PROTECCIÓN DE DATOS PERSONALES EN POSESIÓN DE LOS PARTICULARES" or "federal law for the protection of personal data in the hands of third parties " (official decree page in Spanish: http://dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010), which is scheduled to go in effect on Jan/2012. This law is equivalent to the US legislation and was probably a mandatory development in line with NAFTA and other international agreements.

BTW, this has proven to be a big business opportunity for the likes of IBM and others, as all responsible companies in Mexico scramble to comply by the deadline.

Lazze Faire is retarded

[del_diablo]

A small point: Kids was working fulltimes job all continued to work under their parents approval all the way into modern world, until there was regulations DIRECTLY banning it.
Why because the parents invested their kids short term time into their short term goal, which is to earn money.

And food labels? Poisoned food.
Companies WILL sell me fish filled with lead, acid or anything else if they feel like it.
Why would they feel like it? Becuase they earn money on it.
And why do they earn money on it? Because there are no regulations forcing them to a minimum standard, and because the court system has never worked.
Look at it this way:
1. I need a right to be able to more or less murder the entire company if they managed to spread poison in bad faith
2. I need to have a right to SHUT DOWN the company if their business practice is not directly intended harmful, but rather passively lethal, and its not intentional
3. I also need to force any company to disclose all their information to me, and a neutral examiner, if i want to
4. And yet somehow the corporation needs a protection against random arson....... Which creates the problem of turning the "we need this" into "A needs X, but so does B, and then there is a conflict of interest"
5. The workers must have a full right to kick out and murder the CEO and leaders for mismanagment
6. And yet in the middle of this there is suppose to be no legal protection nor any minimum standards, or any way of prosecuting anybody without doing outright murder and hope nobody finds out.
If a company decides to poison their fish they can decide to lie, and tell that "we didn't do that, its a mess up! we will do better next time!", and you can't separate it from a actual accident. So they can't be axed for being bastards, yet they are.
The other problem is that the corporation would still have the right to move their practice of a shop, and since "local bans" only lasts something like 50x50 km, how are we going to bring them to justice without a large unified ban?

Re:Not about protecting data, it's about protectin

[geekoid]

Are you implying they should be punished for something they will eventually happen even when they take good security measures?

Your premise is faulty, but will ignore that part of it.

And who "protects" the stockholders?

[unassimilatible]

All fines do is hurt the stockholders, not the executives responsible for the fuckup.

Too bad Peter Schiff didn't win that Senate seat, because then you'd see some real change.

What world do you all live in?

[rlglende]

Good luck with getting that law passed. Haven't seen many like it lately getting passed, R or D in power. Same owners, I think.

"Stiff fines" costing the company more than the xxx is the standard method for enforcing all of the laws, works OK for you and me, but not for the guys with real $. They make campaign donations, socialize with the various attorney-generals and judges and regulators. Or their attorneys and PR firms do. In any case, the company pays the fine and usually has the BOD in his pocket (more great regulations), so it doesn't affect his bonuses in any way at all.

Regulations end up protecting them, hence all the lawsuits by 'progressives' to force the regulatory agencies to do their jobs.

For 65 years all of the large and high-level institutions around the world have been run by the best and brightest graduates of the finest institutions for education and advanced training in the entire world. Most of the smaller/lower-profile institutions and businesses have been so for at least the last 20 years, since the WWII generation retired.

The result of their fine systems design skills is that the entire world is about to fall into a depression, that the rich own the system, and are riding all of us over the brink. The ruling elite will spend every last cent of public money to try to preserve their institutions, and the politicians will go along with it because 'money buys power'. Lots of governments will have new constitutions in the next 10 years. Lots of people will die, already have been because of Fukoshima and the higher death rate that accompanies even minor recession. Horrendous for the people who are closer to the proverty line, have food prices starved a lot of people in the last year.

And you guys are still fighting the last fight (which the rich of the day orchestrated), rather than understanding that the problem is 'oligarch / ruling class against the rest of us'.

regs vs regulatees == hackers vs us

[rlglende]

Regulators write rules. Regulatees work very hard at finding routes to their goals through those rules. Regulators don't much like the work of enforcement. Which is why nobody in any large investment / trading organization will go to jail, why Bernie Maddoff only went to jail after 20 years of living the high life.

We programmers have amazing tools. They allow us to ensure consistency between components of our programs, to identify bugs before the program executes, to restart from a known state and continue step by step, to test and retest programs at every stage of development to ensure that they meet requirements. We have standard processes that ensure large numbers of people work toward a goal and deliver systems that meet the requirements.

Hackers still manage to find ways into our systems. Some of them are smarter than anyone on any team, so we are at a permanent disadvantage.

Law and regulations have none of those tools. Laws cannot be made internally-consistent except by the tool of human minds. We programmers know how well that works. Laws cannot be made consistent with other laws except ditto. We programmers ditto.

Law has no way of testing laws and regulations before they are implemented. We know that even simple systems cannot be delivered without extensive testing.

They turn out 10,000 page laws with no testing.

Tell me how that can work.

This from the first principles all of you learned in school. We haven't even started dealing with esoteric topics like the sociology of ruling classes, the social dynamics of regulatees and regulators, the strong psychological influence of power and money upon decisions made by humans. Or how easily societies are corrupted, how easily normal individuals become torturers under strong leadership, and the political consequences thereof. The big increases in death rates that lousy governments produce. The plight of the poor who are most mercilessly raped by the system.

And so many say it is all about controlling the corporations. For the children, no doubt.

So this is a very Libertarian society?

[rlglende]

Your argument plus the sad state of our society, where the rich are massively screwing the poor and the rest of us too, lead on to believe the Libertarian Revolution already happened.

It hasn't. Can't be the reason for the world-wide depression and the escalating rich-crush-poor scenes we are entering.

So maybe it is our wonderful blend of business and government? The incestuous ties between government, regulatory body and regulatee? The ever growing set of restrictions that limit competition, raise campaign contributions, give retiring gov exects something to do when they join their former brother-in-facade. The escalating bureaucracies in all of them to keep track of each other, the evolving market and new opportunities for aggrandizement? Too bad about costs, but the poor must sacrifice when the rulers command.

The Law of Unintended Consequences

[cmarkn]

This legislation accomplishes three things:

1. 1. It sets a standard for handling private data, so that when it leaks the leaking agency can point to their policy that meets the standard. This protects them from lawsuits by people who are harmed but can get no restitution or help repairing the damage done them.
2. 2. Meanwhile, some government agency can claim jurisdiction and collect a large payment that disappears into the tax coffers.
3. 3. Meanwhile, I don't see any hint that this legislation would apply to government agencies, such as police departments and tax offices, who are, at best, no better at protecting data than any corporation. Indeed, it will almost certainly specifically protect all government entities from being sued by the people they harm.

Altogether, this helps no one but government, and effectively lowers the protection of data, not raises it.

Re:Not about protecting data, it's about protectin

when the data does leak, the companies will be immune from prosecution, since they did everything they were required to do.

And we have a winner, folks.

Well, maybe not always from prosecution, but certainly from civil lawsuits. Prosecution they can handle by delaying, settling, paying small fines, and making reassuring statements.... it's those civil jury awards that really hit them in the pocketbook.

SO???

Then companies (web hosting) would go outside of the US. The US based companies would just point the finger and say its not us its so and so company they are registered in the Turks and Caicos(or some other country that has strict secret banking laws), go talk to them.

I like the idea but its a brick wall and you can't call the ghost busters.

It's ironic...

[rgviza]

... how people that cause automobile accidents aren't usually criminally charged, even though the accidents are all preventable and damages are usually in the felony range if it were vandalism or theft. It sure feels like computer people are being singled out. People don't even die when data breaches occur like they do in autos when people screw up and 99.99% of the time, someone screwed up in an auto accident.