New Legislation Would Punish Mishandling of Private Data

An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"

Oh, great .... now, instead of

[Jerry]

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

Re:Oh, great .... now, instead of

[edmanet]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

Re:Oh, great .... now, instead of

[djdanlib]

You'd REALLY like to think so. So would I. Unfortunately, all of history proves that your average (key word: average) customer is about as smart as a bag of rocks. All you need to do is give them a good sales pitch, and they don't even bother to read the fine print on the paper you hand them! It's really sad and one of the reasons I needed to get out of retail so long ago.

Re:Oh, great .... now, instead of

[eldepeche]

FTFY

By making it grammatically incorrect?

Re:Oh, great .... now, instead of

[Mad+Merlin]

Maybe this will provide disincentive to companies that simply snarf up all possible personal data because they can (I'm looking at you, Facebook). This is by far one of the most annoying trends as of late. That's why Game! doesn't ask for any personal information (because it doesn't need it) and makes email optional (if you want to be able to recover your account). Perhaps others will follow suit...

Re:Oh, great .... now, instead of

[eldepeche]

So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

Re:Oh, great .... now, instead of

[uniquename72]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business ... More laws are not always the best answer.

Obvious problem: There's no impetus (without laws) for any company to ever tell you that they've lost your data. So your model fails completely.

Re:Oh, great .... now, instead of

[webheaded]

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

I think the real point here is that I shouldn't have to keep getting screwed when I have absolutely no say in the matter. I don't KNOW what a company's internal security practices are like so how the hell am I going to be able to do anything about it? What you're saying is ridiculous. You can't know until it is too late and that doesn't seem to really convince anyone else but the company that was attacked to actually do something. So no, your "Darwin" system fails in my mind. I don't see that would ever work in the real world.

I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

Re:Oh, great .... now, instead of

[Entrope]

Courts would decide whether a data holder fulfilled a duty to protect data they hold, just like they decide (as necessary) whether people or groups fulfil fiduciary or other duties under other laws.

Companies are companies. Industry groups are what companies form when they have a common problem to solve, and working together to solve that problem is better than trying to solve it separately. (Courts might accept industry standards as sufficient care, or they might not. I would just expect companies to come together to try to figure out how to address security, because it would probably be acceptable under antitrust law and it lets them air out potential protection schemes.)

Consumers cannot sue right now because they have no property rights in this data, and they do not suffer harm when the data is lost -- they only suffer (actual) harm when the data is misused, and the company that loses the data is approximately never the entity that engages in identity theft.

Putting a dollar value on a breach the hardest part of the scheme, but somehow we put price tags on other intangibles (such as intentional infliction of mental distress). I expect there would be arguments back and forth over the valuations, but that those would be no worse -- and probably better -- than what we see for things like medical malpractice.

Re:Oh, great .... now, instead of

[geekoid]

Wow, you really ahve no clue of the market, do you.

Why would companies disclose there was a problem at all? What about companys where their really isn't an alternative? what about industries where all the players stop caring because it cost money, and hey they don't have anyplace to go.

You do know business used to be run without regulation, right? and people where killed from a variety of things they HAD NO CONTROL OVER.

The is why there is regulations. Please try to understand that. For one of many, many examples see: Robber Barons.

Re:Oh, great .... now, instead of

[WrecklessSandwich]

I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

I agree wholeheartedly. I think one of the big reasons regulation gets so much hate is poorly implemented regulations giving the broader concept a bad rap. In general terms I think the right way to regulate is to establish minimum standards that give a baseline of what is acceptable behavior. Behavior below that standard is in some way harmful to the public, which is what prompted the creation of regulation in the first place. Regulation should focus on what one should NOT do ("don't poison people's drinking water, through whatever means are required/logical for your situation") as opposed to spelling out specific things that one MUST do in order to be considered compliant. The latter tends to have a higher cost of implementation due to effective alternatives not being considered compliant, as well as having more potential for the regulation just plain not being effective at it's underlying goal: the public welfare. The former reflects a healthy role of government in society: protect its citizens from harm while restricting its citizenry in as few was as possible.

In this case, good regulation would make companies liable for patently bad security practices such as:
-Passwords written down on a post-it note under the keyboard (OK, you obviously can't really regulate this one reliably, but if you could somehow prove it in a negligence lawsuit it would be pretty awesome)
-Failure to install critical security patches in a timely fashion
-Not performing some basic level of testing systems against a simulated attack, especially for attacks that are very easy to perform like SQL injects
-Failure to secure systems in response to previous breaches (Sony servers from various business divisions being hit by SQL injects all over the world over a significant time period)
-Storing things like credit card numbers, passwords, etc in plain text
-Very weak passwords, especially for sensitive logins. Things like passwords being 6 or less characters, all lowercase, password=username, or passwords that are based on easily obtainable information about the user of the account (wife/pet's name, etc)

The following would be bad things to require as part of regulations. They could possibly be published alongside the regulations as recommendations/guidelines, but keep in mind here that the goal is to establish a baseline for what should be considered negligence.
-Use of third party security software from an approved list. These kinds of schemes are bad because a sysadmin could take perfectly reasonable steps to secure systems without using "approved" software (good luck keeping that list up to date anyways), but in the event of a breach they get crucified for not installing Norton Antivirus 2001.
-Although I did mention SQL injects as an example of stupid easy things you shouldn't get hit by, there should be little emphasis on specific vulnerabilities. As we're all quite aware here, technology changes far faster than laws.
-Convoluted requirements about the complexity/periodic changing of passwords. A lot of people on this site have probably worked at *that company* where you have to change your 20+ password every 15 minutes to something you've never used as your password before involving most of the symbols on their keyboard. Yes I'm hyberolizing like there's no tomorrow, but anything in that vein shouldn't be government-mandated.

Unfortunately, I don't have much in the way of purely "bad" examples of existing regulation on hand (Obama's health care reforms requiring the purchase of health insurance is VERY bad, but those reforms also implemented a bunch of good protections that are all rolled up in the same law), but TubeSteak gave some good examples of the right way to implement regul

A far better policy

[cowwoc2001]

A far better policy would be to require companies to disclose any time their servers are hacked, whether private user data is stolen or not. That would go a long way towards tieing server security to a company's bottom line.

Mandating specific guidelines is a bad idea because the government has no clue when it comes to good security and even if they did guidelines change over time.

Re:A far better policy

[Stormthirst]

Perhaps even mandated compensation paid to the person whose data was lost, depending on what was lost. If it were 'merely' your name and address then that's $5,000. If your telephone number too, then $7,500. If it includes your social security number, then $50,000. Biometrics? $100,000 etc etc etc. If the person concerned can prove that their identity was used in the commissioning of a crime - triple the compensation.

See how quickly companies tighten their security.

Use "certified" firms or be arrested

[Kohath]

These types of government regulations always turn out like this:

- Businesses are forced to use "certified" firms as contractors or auditors
- "Certified" firms are politically-connected firms with Washington lobbyists on their payroll
- Government agencies get created to police whatever is regulated in the law
- "Certified" firms work with the agencies to make sure certification is exclusive so they can charge above-market rates (rent seeking)
- Executives at "certified" firms contribute to Richard Blumenthal's re-election campaign.
- Small startup firms are kept out
- Innocent business operators are raided by regulating agencies, even though they never had a security breach.
- Security breaches and private data compromises continue despite government regulation
- There are fewer jobs for everyone handling private data, and there are fewer choices of services.
- Everyone wonders why we have high unemployment and private data breaches.
- People propose deregulating so we can have our freedom back.
- Someone comes up with the private-data equivalent of "think of the children!!!!"

- Time passes. Another hundred such regulatory regimes get added for every facet of life. Life steadily gets worse for everyone who isn't politically connected.

Stiff fines my ass...

[Overzeetop]

Put the corporate officers in jail - make the minimum sentence mandatory. It needn't be long. Hold people in power responsible and you'll see action.

Business will make a value judgment based on the cost - $5,000,000 potential fine or $300,000 in IT changes means it happens. $5,000,000 fine or $3,000,000 in IT changes and all of a sudden it's not so clear cut. CEO and CIO guaranteed to get 6 months to 5 years in a federal pen for non-compliance and that IT change could cost $30,000,000 and it would be item number one on every single board meeting agenda until the transition is complete.

Re:Band Aid

[kenh]

"What this country really needs is constitutional amendment to bring the US in line with other nations like Brazil that have enshrined the right to privacy in their constitutions"

Privacy is enshrined in our Constitution as well, take a look... Lotta good that does us!

Which one costs more?

[Kozz]

Unless the "stiff fines" cost the company even more than the implementation of storage guidelines, why would they bother? When laws against corporations hit only their pocketbooks (say the cost of a few weeks' worth of hookers and blow for the CEO), they frequently don't have any teeth.

Money buys power.

[rlglende]

Who do you think is asking for the rules? The same stupid corporations who can't ever provide decent security, of course.

Before the rules are settled, companies will be immune to lawsuits from mere plebians who are injured by their screwups.

Money buys power, so you can be sure this will be included in any rules.

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

The market, which has a bad rep in the progressive mind relative to gov-imposed solutions, should be appreciated among Slashdot's technical audience, as it represents a scalable parallel search algorithm for solutions that bother customers.

Fortunately, we can depend on basic system dynamics to assure us there will be an end to all of this : Power has a strong, inherent positive feedback --> the more power you have, the easier it is to get more. Un-restrained positive feedback systems always destroy the system.

Re:Money buys power.

[rlglende]

Most legislation begins as a method of soliciting campaign donations.

In any case, how does this disprove "money buys power" and the consequences thereof?

The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

Re:Money buys power.

[TubeSteak]

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

What a logical clusterfuck.
Regulations NEVER work?
Is your drinking water clean? Is there lead in your paint? Is melamine used as a filler in your food products?
Did you have to work 12 hour days in an unsafe factory starting at the age of 8?

Your question is just another version of "What have the Romans ever done for us?"
The answer is "a lot" and whoever modded you up should be ashamed of themselves.

Re:Money buys power.

[eldepeche]

The acid rain program in the 1990 clean air act set maximum levels of sulfur emissions, set per-coal-burning-unit targets and provided an incentive for reductions beyond that target (tradable emission credits). Emissions were successfully reduced, starting with the units where it was most economical to do so.

I don't think anyone said that regulations don't have unintended consequences. They move the equilibrium to a place deemed more socially beneficial. The FDA makes medicine more expensive, but it also forces manufacturers to disclose the ingredients (so you can tell if you're allergic or don't want to pump your coughing kid full of cocaine) and side effects and ensures that drugs are reasonably safe.

(Of course there are hundreds of reasons why health care is more expensive in the US than Europe, and none of them are "way more prescription drugs in Europe," nor have I ever heard a libertarian talk about how European health care is great because it is free of regulation.)

Re:Money buys power.

[eldepeche]

Replace "intentionally" with "negligently" and you won't be far from the truth.

The regulations help ensure that tap water won't kill anybody. I think that's a pretty reasonable floor for water quality. The fact that some people are willing to pay for slightly cleaner water does not mean that everybody else should be subjected to unsafe water, necessitating further filtration.

Lead was used in paint for a lot of reasons: drying time, color duration &c. Making paint without lead meant it was more expensive to get the same quality. Without regulations, it might still be sold, but only to poor people.

Companies, by and large, only stop doing bad things when it become profitable to stop. Regulations serve to make it more expensive to behave badly.

Re:Money buys power.

[TubeSteak]

So you claim only areas that are getting regulated improve, and that there is a dose-response relationship, so the more regulation the faster improvement?

I said no such thing.
All I did was point out the gaping hole in your logic.
"Regulations never work" is an ignorant thing to say and you're an ignorant person for saying it.

There's no point in having a conversation with someone whose basic premise is that regulations don't work. They do.
They're not perfect, they can be manipulated, they can even backfire, but they're better than not having regulations at all.

You also didn't deal with 'money buys power' or the implications thereof.

The alternative to money manipulating regulations (money buys power) is not a capitalistic laissez faire utopia.
It's just more money buying power, but without any chance for the consumer's interests to be considered.

You could stand to read about the history of the US labor movement and US regulatory agencies.

Re:Suspect

[TubeSteak]

Personal Data Protection and Breach Accountability Act of 2011

SEC. 303. ENFORCEMENT.

(a) Civil Penalties-

(1) IN GENERAL- Any business entity that violates the provisions of sections 301 or 302 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation.

(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 301 or 302 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation.

"Stiff" penalties my ass.

SEC. 312. EXEMPTIONS.

(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 311, if--

(1) a risk assessment concludes that--

(A) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the encryption of such information establishing a presumption that no significant risk exists; or

(B) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the rendering of such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, establishing a presumption that no significant risk exists;

Motherfuckers. Breaches of security are just as relevant to the public as loss of data.
My suspicion is that by the time this comes out of committee and works its way to Congress,
it'll be so watered down that private businesses will be clamouring for it to be passed.

Corporate Anarchy

[MickyTheIdiot]

As we see in this thread, we have an idea that corporate anarchy will solve anything.

I bet we're going to have a data event at some point that is going to equal 9/11 in importance before anything gets done, and then it will be some kneejerk reaction like the Patriot Act. We're totally screwed up in this country and at some point someone is going to decide that it's time for creative destruction... and that's scary.

Re:Credit agencies also!

[Oxford_Comma_Lover]

They also need a law that will ding the credit agencies when they get it wrong....

Also need?

This isn't a law. It's a piece of proposed legislation. Which usually means something someone can point to in order to say "I support X" while knowing full well that X will never actually be law.

In all likelihood, it has already been referred to some obscure subcommittee and will never be heard from again. (Disclaimer: I'm not sure offhand if he is on the obscure subcommittee, in which case it obviously has a slightly better chance.)

Already in Europe

[paugq]

This kind of legislation has been in place in Europe for at least 20 years now.

I don't know the specifics of the proposed US law but in Europe:

• It has not promoted outsourcing, off-shoring, or anything like that. The law here is very picky on that: if you want to collect data from your customers, you take care of it, you cannot outsource that to some other company to avoid law.
• In fact, you cannot sell, loan or transfer personal data to any third party without getting explicit acceptance from the individuals affected
• In every company there is a person (physical person) responsible for each data "file" (i. e. a database with personal data). The company is only accountable for money but that guy is accountable for criminal offenses.
• Fines are pretty hefty. In my country, from 600 EUR (a very very very dumb issue, like publishing your name + ID card number in a report card) to 600,000 EUR (for some serious trespassing, like selling data to a third party).
• As a consequence, companies are careful and even the smallest ones they take some minimum security measures.

We've got one too

[courcoul]

FYI, Mexico passed the "LEY FEDERAL DE PROTECCIÓN DE DATOS PERSONALES EN POSESIÓN DE LOS PARTICULARES" or "federal law for the protection of personal data in the hands of third parties " (official decree page in Spanish: http://dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010), which is scheduled to go in effect on Jan/2012. This law is equivalent to the US legislation and was probably a mandatory development in line with NAFTA and other international agreements.

BTW, this has proven to be a big business opportunity for the likes of IBM and others, as all responsible companies in Mexico scramble to comply by the deadline.