Slashdot Mirror
Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com)
New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."
I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.
As in, let the penalty market for breaches of data be:
$1 per name
$2 per address
$3 per phone number
$10 per SSN
And multiply those figures for combinations thereof.
Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.
The federal agency responsible for enforcing these laws is the CFPB, which is getting shut down.
Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."
They're going to need 2/3 to override the orange traitor, and how many congressinoal Republicans want to support "gubmint re'leashins" that punish unreasonable stupidity that results in failure? ZERO, that's how many.
The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.
I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.
You know no MBA will ever serve one of those, but some poor code monkey who the MBA didn't listen to when he recommended tighter security probably will!
Democrats pretending to not be the political wing of Goldman Sachs is just a joke. Fuck the Republicans too, but at least they're open about serving the interests of fossil fuel.
Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.
I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.
In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.
Before the congress passes one more regulation on business they need to disclose TGEIR OWN. baggage. Millions in payouts from the treasury to cover up sex crimes that these elected officials all in secret! This is horrific!
Change D to R and you've basically got Fox News and Rush talking points, which are basically marching orders for the Rs.
Well.....the Democrats and their Hollywood bros seem to be breaching them often enough without a new law.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
Yes, but that is the fundamental difference between the American left and right. The American right is very much about telling government to sod off, and the American left claims to be about using government to fix people.
The systems of yesterday that we have suck and rather than fix them you want to pass these dumb liability laws which do nothing to effectively resolve these problems. They merely do an injustice by creating scapegoats.
There has been a solution to credit card fraud for quite some time now. It's call Bitcoin- and other crypto currencies. Crypto currencies utilize public and private keys and that ensures companies take security seriously. When they fail at security they literally lose money. Right now they just bundle in the cost of credit card fees, fraud, and so on rather than fixing the underlying problems which are storing extremely valuable numbers that when "lost" results in OTHER companies getting defrauded. It's not the credit card holder who pays the price- but the OTHER company that ends up being defrauding by the con man exploiting that credit card number.
Eliminate credit card numbers, checks, and social security. The real victims are the entities which are defrauded, not the consumers. The consumers are already protected by legislation. Piling on additional laws makes no sense whatsoever. It's just FUD.
Mod parent up. Companies that detect any significant security breach should contact the CFPB and negotiate on whether and how to notify the public.
The difference between the left and the right is that the left has a vision of a better world. The right is just about saying fuck you to someone. Should I vote for a pedophile? Fuck you, I will. Should I finance the government? Fuck you, let it go broke. Should I help my neighbors? Fuck all of you. Should I listen to scientists on any matter? Fuuuuuuck you.
I wonder how that will turn out as a society... Glad I don't have to deal with these sociopaths.
Yes, but that is the fundamental difference between the American left and right. The American right is very much about telling government to sod off, and the American left claims to be about using government to protect them from corporations.
FTFY. You're welcome.
Leftists. Policies so popular they have to be implemented by force.
A moldy bill from 2015 that never got out of committee being resurrected to take advantage of the current headlines. It goes with the handful of other bills on data breaches from other house and senate dems introduced this year. All designed to impress the constituents but not to get out of committees and to the floor for votes lest the tech, retail, financial and other affected business sectors sic their lobbyists on them and start withholding campaign contributions from them.
Mod this guy down!
He broke the rules, actually read the article and the sources before commenting, what a bad, bad, bad, man.
Look at the depths of deprivation SlashDot has sunk to, oh, the humanity!
No typo at all, as the coronation of Hilary demonstrated, the DNC is not at all democratic.
Yes, the amount of stupid in your post is amazing. You think those agencies would dare turn against their retard in chief? This is the same dipshit administration that wants to put Tom Cotton in charge of more than a petting zoo. Go ahead, suck Trump's cock some more. He won't care unless you are under 18. Then he will get hard for you.
I've always argued that all fines for any offense should not be fixed monetary amounts, but rather defined as some number of hours or days of the convict's income, depending on the severity of the crime, and calculated accordingly. Let that same rule and calculation apply to corporations as well.
Perhaps a speeding ticket would cost a day's pay: $80 for some people, $80,000 for others. Big corporate misdeeds could require forfeiture of weeks or months of a company's income.
The point here is to ensure that large companies are not liable. This caps their liability at $5M. Completely corporate bailout.
That's $5 million per case, the way I see it. I good DA could make every single person who's data has been stolen an individual case.
You are welcome on my lawn.
Are politicians and political organizations excluded from the requirement?
Any guest worker system is indistinguishable from indentured servitude.
Its not stolen - we sill have it. in so called piracy, nothing is stolen.
Now where is the fine or director disqualification for paying an unapproved bribe or extortion. Yeah - stay tuned for that one.
Many companies would line up for a complete dump of Facebook individuals info for 5 Million! So would insurance, banks, medical insurers.
Crazy low will actually encourage leaks. A dating site with nude selfies - a trove some phone company sniffed. 5 mil - bargain
In the Eurozone of 5-10% of turnover would be specified.
As long as law enforcement was contacted any new protections will just go away as cyber investigative secrecy covers the data breaches.
Federal protection if code litter can be found with parts of any foreign language.
Welcome that national security letter and the full protection it offers.
Domestic spying is now "Benign Information Gathering"
> ... As in, let the penalty market for breaches of data be:
$1 per name
$2 per address
$3 per phone number
$10 per SSN
And multiply those figures for combinations thereof
How much should Hillary Clinton be fined, pray tell?
How many laws on the books already for this? That basically go ignored, or they cover up these things for years. Government needs to enforce those already on the books and prosecute to the laws fullest extent. We have plenty of ability no will because business has their hands in every politicians pocket.
How many people have been fired for sexual misconduct in private sector, not a single government official has resigned? Don't count on government for help except for some useless laws that nobody enforces.
Many times this.
Setting a fixed price makes it a fixed-price-liability. Actual damages might differ wildly from these numbers.
I'm all for fining companies that screw up their security and do not come clean about it. But damage that has to be recompensed due to a leak should be calculated from actual (or approximated) damages on a case-by-case basis.
I prefer the dutch (and mostly european) approach more.
After a breach:
- Local (national) privacy authority investigates company
- Privacy authority fines company if it screwed up. (up to 20M / 4% global revenue)
- Privacy authority publishes findings of what went wrong. Public as in I can just download and read them for free. (For the dutchies
- I can privately (or in a class action) sue the company for damages. The findings of the privacy authority will make winning that a no-brainer.
Or is it just theater now? Like always.
Introducing a bill, standing alone, doesn't mean much. It's advertising, so someone will be able to campaign on it. Usually after you introduce a bill, it gets referred to a committee, where it dies. In order to become law, the committee has to actually spend time on it and vote to move it out of the committee, and then the majority leader (called a different thing depending on which house of the legislature is involved) has to put the bill on the agenda.
This is why you should usually vote based on party rather than based on who is a better individual representative, unless you're voting between different members of the party you prefer--the most important vote your representative casts is for majority leader, and that vote decides what laws can get passed.
I couldn't get the text of the law to load. Does the CEO go to prison? Does the head of IT go? I think this part of the law would be hard to write and implement. I agree with another poster that fines need to be high enough to be noticed by larger corporations.
Power tends to corrupt, and absolute power corrupts absolutely.
You really are not reading this correctly. This is extending the equivalent of HIPPAA protections to consumers. If data is worth collecting and keeping then the company is responsible for securing it and bearing brunt of harm in case of loss or misuse.
"Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal."
I'm sorry, but which special interests exactly are opposed to this? Is there some sort of hacker union lobbying against it?
Just another day in Paradise
Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.
"Democrat Senators"? So the Slashdot headline writers are now following the lead of Jesse Helms and Rush Limbaugh in attempting to change proper naming conventions to serve their own political ends?
You'd have to hit a company like Apple with $1 billion to even get noticed.
Agree with parent. The wording of the bill says "intentionally and willfully conceals the fact of the breach of security". A good attorney will be able to argue it was not intentional nor willful in many cases - such as Equifax. Never attribute to malice what can be attributed to incompetence as the old saying goes.
...easy decision to make.
What we need in the US is something similar to what Europe is doing. GDPR regulations make it as high as "up to 4% of the annual worldwide turnover of the preceding financial year". That gets peoples attention REAL quick.
You have 1 of 3 choices at that point:
1) Meet compliance and secure your data
2) Stop doing business in Europe
3) Pay the penalty every time you get caught
How about federal and state entities as well? Do you know how many Universities are hacked annually or phished annually with students identity information stolen?
Just a nit, but the headline should read "Democratic Senators...."
I am American and I can say for sure about democrat party being against capital. With this law they are trying to shove down our throats we can see how they fully are side with communists. Strong president Trump will keep this law from coming around, though, to all benfits of us the true Americans.
So, let me see if I have this straight...
Yeah, I'm sure no organizations will abuse that gray area at all.
Mr. Hu is not a ninja.
DemocratIC Senators Introduce...
There is no such thing as the "Democrat" party. It's the "Democratic" party. Using "Democrat party" is just a way for Republic politicians to irritate Democrats.
This page accidentally left blank
Management just heard: "I get to keep everyone on premises (and working) 24x7? Where do I sign up?"
Isn't a market force. A market force is when you don't buy from somebody because of their poor security. You're not going to get anywhere convincing the other side with that argument. Somehow we've got to convince them there are some things the market alone can't do. In my experience it's a religion for a lot of people in that they take it on faith. The way I was taught the virtues of the market in grade school certainly made it seem so. No discussion of competing solutions just a blanket statement of 'this is how economies are'.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
So, riddle me this. Doesn't this allow very amateur hackers to cause major industry upsets? I can walk into just about any office building, and grab some random private information by looking over a secretary's shoulder. I then tell the company (anonymously, sure) that I stole one customer's information. The company then needs to announce to the world that they've been breached.
So little old me, with a few minutes per day, can cause a big corporate to announce a breach of 1 customer every single day.
Sounds like a blaming-the-victim kind of thing.
Totally agree. The GDPR appears to be much more consumer oriented. This one has all the right words as to what to penalize, but that is just because it needs to make sure that it is overriding all of the right state's laws. The purpose of this bill appears to be to override the state's rights to determine their own penalties and replace that with a maximum that is lower than some of them might impose.
Ironically considering that it came from Democrats, I have similar issues with the way this affects the states to the way the repeal of net neutrality affects them.
Why else would the feds pass a law that puts a maximum on the penalty on civil suits by the attorneys general of the states if not to protect a corporate bad actor from the just decisions of a jury? And why make that maximum a fixed dollar amount instead of a percentage of earnings if not to protect mega corporations more than the little guy? These penalties could put a startup out of business quick while being nothing but a bump in the road on the big guys.
I agree that this codifies what appear to be protections. But it then turns around and puts a maximum penalty in place that is too low. This gives it the appearance of codifying the protections just for the sake of overriding the states' existing codes with a maximum that is less than what states might want to impose in order to protect the companies from consumer rights oriented states.
We'd be far better off to just copy the GDPR. This would also keep things consistent. Many of the possible bad actors here are international.
States already have breach notification laws. At this point spending time on a national one is just a distraction from the rest of the political circus.
Big news on /. today[not]. Scraping the bottom of the barrel with allowed content this year.
I like this idea because the whole point of having to pay a fine is to discourage the bad behavior. If a wealthy person has to pay a tiny fine, that does very little to discourage the bad behavior.
As you say, fines should be proportional, not fixed.
If this goes into law... what if they don't discover the breach until someone tries to sell the database they lifted? This is perfect for criminals. Now, wait 31 days before selling the database. Then, in order to avoid jailtime, the companies are FORCED to spend funds to cover up the fact that they were breached and NOT notify customers. Bravo.
10th Amendment.
Any power not granted to the federal government by Constitution is reserved to the states and to the people.
This proposed bill will be yet ANOTHER example of government over stepping it's bounds. It's reasons like this that we voted for Trump in the first place.
The bill would impose a five year prison sentence on "organizations". Just how do Democrats expect to incarcerate a corporation?
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
The Republicans are in control and will never vote for something like this. Prison time for CEOs? Not going to happen.
The Democrats know that. They are just pandering to their snowflake base.
#maga
You curated right-wing hate speech. Please respect BOTH parties, not just the party of division.