Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Legislation Would Punish Mishandling of Private Data

Posted by Soulskill on from the forty-days-in-the-chamber-of-fire dept.

An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"

10 of 187 comments (clear)

  1. Oh, great .... now, instead of by Jerry · · Score: 4, Insightful

    insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

    --

    Running with Linux for over 20 years!

    1. Re:Oh, great .... now, instead of by edmanet · · Score: 3, Insightful

      Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

    2. Re:Oh, great .... now, instead of by uniquename72 · · Score: 3, Insightful

      Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business ... More laws are not always the best answer.

      Obvious problem: There's no impetus (without laws) for any company to ever tell you that they've lost your data. So your model fails completely.

  2. A far better policy by cowwoc2001 · · Score: 3, Interesting

    A far better policy would be to require companies to disclose any time their servers are hacked, whether private user data is stolen or not. That would go a long way towards tieing server security to a company's bottom line.

    Mandating specific guidelines is a bad idea because the government has no clue when it comes to good security and even if they did guidelines change over time.

    1. Re:A far better policy by Stormthirst · · Score: 3, Interesting

      Perhaps even mandated compensation paid to the person whose data was lost, depending on what was lost. If it were 'merely' your name and address then that's $5,000. If your telephone number too, then $7,500. If it includes your social security number, then $50,000. Biometrics? $100,000 etc etc etc. If the person concerned can prove that their identity was used in the commissioning of a crime - triple the compensation.

      See how quickly companies tighten their security.

  3. Use "certified" firms or be arrested by Kohath · · Score: 3, Insightful

    These types of government regulations always turn out like this:

    - Businesses are forced to use "certified" firms as contractors or auditors
    - "Certified" firms are politically-connected firms with Washington lobbyists on their payroll
    - Government agencies get created to police whatever is regulated in the law
    - "Certified" firms work with the agencies to make sure certification is exclusive so they can charge above-market rates (rent seeking)
    - Executives at "certified" firms contribute to Richard Blumenthal's re-election campaign.
    - Small startup firms are kept out
    - Innocent business operators are raided by regulating agencies, even though they never had a security breach.
    - Security breaches and private data compromises continue despite government regulation
    - There are fewer jobs for everyone handling private data, and there are fewer choices of services.
    - Everyone wonders why we have high unemployment and private data breaches.
    - People propose deregulating so we can have our freedom back.
    - Someone comes up with the private-data equivalent of "think of the children!!!!"

    - Time passes. Another hundred such regulatory regimes get added for every facet of life. Life steadily gets worse for everyone who isn't politically connected.

  4. Stiff fines my ass... by Overzeetop · · Score: 4, Interesting

    Put the corporate officers in jail - make the minimum sentence mandatory. It needn't be long. Hold people in power responsible and you'll see action.

    Business will make a value judgment based on the cost - $5,000,000 potential fine or $300,000 in IT changes means it happens. $5,000,000 fine or $3,000,000 in IT changes and all of a sudden it's not so clear cut. CEO and CIO guaranteed to get 6 months to 5 years in a federal pen for non-compliance and that IT change could cost $30,000,000 and it would be item number one on every single board meeting agenda until the transition is complete.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  5. Which one costs more? by Kozz · · Score: 3, Insightful

    Unless the "stiff fines" cost the company even more than the implementation of storage guidelines, why would they bother? When laws against corporations hit only their pocketbooks (say the cost of a few weeks' worth of hookers and blow for the CEO), they frequently don't have any teeth.

    --
    I only post comments when someone on the internet is wrong.
  6. Re:Money buys power. by TubeSteak · · Score: 4, Insightful

    Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

    Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

    Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

    What a logical clusterfuck.
    Regulations NEVER work?
    Is your drinking water clean? Is there lead in your paint? Is melamine used as a filler in your food products?
    Did you have to work 12 hour days in an unsafe factory starting at the age of 8?

    Your question is just another version of "What have the Romans ever done for us?"
    The answer is "a lot" and whoever modded you up should be ashamed of themselves.

    --
    [Fuck Beta]
    o0t!
  7. Already in Europe by paugq · · Score: 3, Informative

    This kind of legislation has been in place in Europe for at least 20 years now.

    I don't know the specifics of the proposed US law but in Europe:

    • It has not promoted outsourcing, off-shoring, or anything like that. The law here is very picky on that: if you want to collect data from your customers, you take care of it, you cannot outsource that to some other company to avoid law.
    • In fact, you cannot sell, loan or transfer personal data to any third party without getting explicit acceptance from the individuals affected
    • In every company there is a person (physical person) responsible for each data "file" (i. e. a database with personal data). The company is only accountable for money but that guy is accountable for criminal offenses.
    • Fines are pretty hefty. In my country, from 600 EUR (a very very very dumb issue, like publishing your name + ID card number in a report card) to 600,000 EUR (for some serious trespassing, like selling data to a third party).
    • As a consequence, companies are careful and even the smallest ones they take some minimum security measures.