Slashdot Mirror

← Back to Stories (view on slashdot.org)

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com)

Posted by BeauHD on from the Newton's-third-law dept.

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

7 of 162 comments (clear)

  1. market forces by supernova87a · · Score: 5, Interesting

    I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.

    As in, let the penalty market for breaches of data be:
    $1 per name
    $2 per address
    $3 per phone number
    $10 per SSN
    And multiply those figures for combinations thereof.

    Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.

    1. Re:market forces by thegarbz · · Score: 3, Interesting

      Yikes, a phone book would cost millions!

      You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

    2. Re: market forces by bsDaemon · · Score: 3, Interesting

      Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

      But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

  2. 5 prison term for *individuals* by RickRussellTX · · Score: 5, Interesting

    The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.

    I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.

  3. Sheep in wolf's clothing from big corporate view by RhettLivingston · · Score: 5, Interesting

    Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.

    I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.

    In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.

  4. I rather see a different bill by MoarSauce123 · · Score: 4, Interesting

    Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.

  5. Re:"Democrat" Senators? by sabbede · · Score: 2, Interesting

    Well, since "Democratic" is an adjective, "proper" naming convention would preclude its use as a noun. Democrat and Democracy are nouns, words that identify objects. Democratic describes such objects, but doesn't specify or identify. The Senate is a democratic body, so the adjective describes it and all its members, be they Democrats or Republicans. Note that we do not say "Democratics and Republicans".