Slashdot Mirror
Obama Proposes 30-Day Deadline For Disclosing Security Breaches
Following the string of massive data breaches at major corporations, President Obama has called for legislation that would standardize how these incidents are disclosed to the public.
"The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked. In a speech Monday at the Federal Trade Commission, Mr. Obama said that the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country. The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.
He says as ISIS literally gets into the CENTCOM twitter account and posts military personnel's addresses/info, data from the pentagon and other bullshit
I mean come the fuck on
Data apocalypse now
...and where was this nifty idea (and the free college one too, and immigration reform, etc.) during his first two years in office (when the Congress was mostly Dems)?
Why does he even bother to open his mouth now?
This law sounds good, but it doesn't have a prayer:
1: Who enforces it? Will it be as toothless as HIPAA or SOX, where the only person thrown in jail on Sarbanes-Oxley was guy who fished up one too many groupers?
2: If enforced, where is there proof that the hole was discovered, and what date? I'm sure a H-1B will be darn sure to keep mum when he/she actually found the breach in order to not be deported.
3: What is a breach? Is someone duping gold on ClicheQuest considered a breach? A warp hack? What about a web server showing the FTP server's links? The courts can be clogged for years of lawyers deliberating this... and when it comes to technical issues, courts tend to side with what side has the most lawyers.
4: What happens when a breach and trade secrets smack into each other? A court erroring one way, and businesses can have their secret sauce dumped out by clever lawyers. Another way, and every breach can be covered up as a trade secret.
5: Who is going to fund enforcement? The next President may not bother funding this endeavor.
Nice political thing... but this law is actually not going to ever see the books. We will see mandated hardware DRM stacks and health checks to make sure DRM is present on all devices before we see this on the books and actively enforced.
Of all the laws that hasn't been put forth that is most sorely needed in the market, it's a law to prevent private companies from using SSNs for ID numbers, customer identification and credit granting. How many people have had to spend thousands of dollars and years in court trying to get their identities back and repair the damage to their credit because they know a name, DoB, address and SSN?
It's 30 days from when it's been discovered, not when the breach actually happens. That way, if it happened months ago, and the IT guy is only detecting it now, they're not in any extra trouble for not reporting it, UNLESS they wait more than 30 days from the point of discovery.
Mr. Hu is not a ninja.
This will be considered 'anti-business' and the Republicans won't let it through Congress, just you watch.
Yeah, and the Democratic president waited until *after* the Democrats lost power in the legislature before proposing it.
It almost seems - dare I say it - that both parties are against the needs of the people!
I see the main problem being that these companies will be forced to disclose breaches while they still be in the midst of investigating and fixing them. I can see it taking more than 30 days to discover the breadth of a breach.
Thus all we need is permanent plausible deniablity.
AND, taking notes on our current President .... Here are the stages to avoiding any responsibility for anything:
"I found out about it the same time you did from the newspaper"
"I am angry and am going to get to the bottom of it"
"There is not a smidgeon of evidence..."
"It is just a right wing conspiracy"
"Phony Scandal"
"Golf!"
????
"Profit"
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
the National Security Breach database has been breached. Please try again later.
* quickly negotiate a broad "consensus bill" for everything in the above list
The use of riders to attach irrelevant legislation to other stuff is already too much of a problem, you want an entire bill made up of unrelated stuff as one package?
* quickly get the bills pushed through both houses of Congress, giving the small-minority voices that are against the bills or which favor won't-pass amendments a chance to speak and be heard.
It's nice you let them have a chance to "be heard". But consider this: the more unrelated things you put in one bucket, the more likely you are to reach a critical mass of people who object to something in that bucket and vote no just for that small part they object to. The entire bill fails for want of a smaller bucket.
Sounds like a good idea. Now, let's get the NSA and FBI to fill one of these out.
I have issues with turnitin.com as well (and I'm a teacher and work in academic technology) but mostly because instructors/institutions can force a student to give up their intellectual property in order to support a 3rd party's business model.
I've started adding a footer on my papers I submit as a student along the lines of "this paper is the intellectual property of i.r.id10t. any commercial use is prohibited"
Don't think I'll ever get anywhere because of it, but at least it makes me feel half way ok for a few moments...
Don't blame me, I voted for Kodos
This is the GOP you're talking about. They're not interested in anything that isn't 100% of what they want...
TFTFY.
I'm not sure exactly what that would accomplish. The only reason its a Bad Thing(tm) when someone gets my SSN is precisely because that is the number everyone uses for credit granting. If they instead started using some other unique personal number for that purpose (lets call in UPN for the purposes of this discussion), then it would be the UPN I have to give out all over the place, and it would be the UPN that would be under constant thread of being stolen by identity thieves. The effects would be the same.
You're right. As long as the UPN is used for both authentication AND authorization, then you are screwed no matter what the number actually is. The trick is to separate the two functions somehow, and will mean a fundamental shift in how things are done.
The problem in the US is that the SSN is used for both authentication and authorization, even though it was only meant for the former.
I am Slashdot. Are you Slashdot as well?
No! Just no!
If you are a business in the business of making money, small or large, and you have taken my data for some business reason and are careless with it, you should be liable for whatever happens. Every time I hear about another retail company that is storing a bunch of credit cards against the law and PCI, who really doesn't need to be storing any credit card numbers at all, I say "Well no wonder. It was probably the fault of some poor overworked, underpaid IT department." Probably the sales department charged the clients not enough to cover the actual cost of operating the business, and they cut corners. You don't win bids pricing services reasonably, you have to undercut the competition!
If you think that every company should have carte blanche to do just whatever with customer data, without regard to keeping it secure from hackers, because "computer hard, IT too expensive" then you are part of the problem. Until some of these companies that are gutted by hackers with their "secure" data splayed out all over the internet, get gutted again afterwords by regulators, or even customers leaving to hold them to account after the event, the executive suite is going to continue to place the security bulletin into the circular file and we are going to see more and more of these breaches.
Restating the obvious since nineteen aught five.