Democrat Senators Introduce National Data Breach Notification Law

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

market forces

[supernova87a]

I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.

As in, let the penalty market for breaches of data be:
$1 per name
$2 per address
$3 per phone number
$10 per SSN
And multiply those figures for combinations thereof.

Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.

Re:market forces

[h8sg8s]

Excellent idea. Companies should also directly bear the cost of damage and repairing credit.

Re:market forces

[gumbi+west]

Yikes, a phone book would cost millions!

Re:market forces

[shayd2]

I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."

Does this mean the CEO? CIO? or Uber (the whole corporation)

We need more prison space

Re:market forces

Everyone. The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there are no funds available for compensation.

Re:market forces

[giggleloop]

Because America lacks the political will to take pre-emptive action, but reactive action is the second best idea.

Re:market forces

[Jane+Q.+Public]

In order for your multiplication scheme to work, the name would have to be worth more than $1.

In fact, the information is normally not that useful without the name. So I'd make the name worth $5 at least.

Re:market forces

[omnichad]

Even under HIPAA, those aren't considered PHI

That's because it's not HI (Protected Health Information). It doesn't mean it shouldn't be protected - just that it's not covered by a law specifically about Helath Information

Re:market forces

Oh, as if Republicans aren't interested in a federal law covering data security and breaches:
https://www.congress.gov/bill/112th-congress/senate-bill/3333/text

S.3333 - Data Security and Breach Notification Act of 2012
112th Congress (2011-2012)
Sponsor: Sen. Toomey, Pat [R-PA] (Introduced 06/21/2012)
Committees: Senate - Commerce, Science, and Transportation
Latest Action: Senate - 06/21/2012 Read twice and referred to the Committee on Commerce, Science, and Transportation. (All Actions)
Cosponsors:
Sen. Snowe, Olympia J. [R-ME]* 06/21/2012
Sen. DeMint, Jim [R-SC]* 06/21/2012
Sen. Blunt, Roy [R-MO]* 06/21/2012
Sen. Heller, Dean [R-NV]* 06/21/2012
Sen. Rubio, Marco [R-FL] 07/11/2012

You're fucking naive if you think that either party really wants to place costly burdens on a lot of business sectors that they receive tons of campaign donations from. Eventually some bill might make it through, but it will very likely be much looser in regulation than the data breach laws that states like, say, California has already on the books.

Re:market forces

[Dutch+Gun]

There's also some addition going on there, you know.

Anyhow... the value of the name is sort of an interesting topic, because it's highly contextual. For instance, my name is listed publicly on LinkedIn, along with my job skills, work history, and professional achievements. Obviously, you can't blame LinkedIn for "leaking" this information.

On the other hand, say I were HIV positive and on a treatment list, or a member of Alcoholics Anonymous, or something similarly personal in nature. The release of just my name associated with specific groups could very well be fairly damaging to me. Or even to a lesser extent, I'd be annoyed if Slashdot were hacked and my e-mail were publicly associated with my account name. From there, it wouldn't be hard to determine my real name.

I think that's one problem with the itemized per-item fine schedule. Another is that a monetary fine really only works against private enterprises. Some of the worst leaks have been by government agencies, because those leaks include biometric data, like fingerprints. I'm not sure what you'd do with these agencies.

Re:market forces

[Hal_Porter]

Welcome to IniTech. You're best bet is to kick someone's ass or become someone's bitch on the first day.

Re:market forces

[thegarbz]

Yikes, a phone book would cost millions!

You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

Re:market forces

[Smidge204]

The very fact that it would require a government, or (government sanctioned/appointed) agency to assess and enforce such penalties means it is not a "market approach."

But that doesn't mean I disagree; if anything the fines should be at least 100x higher, maybe even 1000x since there's an almost certainty that penalties will settle for pennies on the dollar anyway.
=Smidge=

Re:market forces

[Pimpy]

Really? The people caught out in the Ashley Madison breach may disagree with this. Anything that makes the individual identifiable carries with it certain risks, and to this extent must be protected.

Re: market forces

[bsDaemon]

Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

Re:market forces

[houghi]

The real issue with the 10USD for a SSN is that it make it even more obvious that it should be used in ways that it should NOT be used.

Using the SSN as an identifier should be punished; not the leaking of it.

I live in Belgium and we have a national number, yet it would (ok should as some people are idiots) not be used as an identifier by itself anymorze than e.g. a birthday will be.
It is the birthday; a seriel of the number on that day and a controlnumber and identifier of your sex.
So YYMMDD-XYZ-AB It is great to use if you have already identified the person, but it is NOT to be used to identy a person. For that we have an identity card where you have to present yourself at the cityhall. That card will be used to identify you. If you need to identify somebody, you use that card and https://www.checkdoc.be/CheckD... to verify if the card was not stolen. As soon as your card is stolen, you call the free number and go to the police. That will make the window it can be abused smaller. Yes, abuse will still happen, even with people who try to say their card was stolen.

Re:market forces

[Ol+Olsoc]

Yikes, a phone book would cost millions!

You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

Yup, As a Ham, I have my name, address license level and other information on me on many publicly accessible databases. It's been that way since radio Amateurs existed.

But today, we are starting to see a few idiots demanding the have their identity kept as a secret. They are told to get a different hobby/avocation. Might as well demand to not have license plates on their cars. Whackers.

Re:market forces

[queequeg1]

"The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there are no funds available for compensation"

Wait, this is what *WILL* happen upon conviction? Because that comes close to describing the voluntarily adopted standard operation procedures at some of the corporations I've worked for.

Re: market forces

[Ol+Olsoc]

Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

I had to chuckle at the last part, because you are right about the bad risk assessment - where many people have no problem getting jiggy with their shemale midget scat porn, all logged somewhere, but are too fearful to post their home number on their house or mailbox, because "privacy very important to me, and you never know when someone is going to randomly decide to kill everyone in our town with a 345 in their address!" Anyhow, if our addresses need to be a state secret, we're living in the wrong place. Or need some sort of anti-paranoia meds.

Re:market forces

[ctilsie242]

What would be awesome would be an ID card, whose only task in life is to be storage for keys. Of course, there would have to be protection for the person's secret key, and the ability to get a new key should something be compromised, but with HSM technology the size of a YubiKey, the biggest issue will be a key getting rendered inaccessible or lost.

If we went with a key based system, it would also mean added privacy. A country can issue a certificate stating someone is over 21, and the card/token holder only needs to have that as proof at a bar, so they can buy booze here in the US. No other info (name, address, etc.) would be needed.

Re:market forces

[bigwheel]

What is the penalty for the 2014-2015 OPM data breach https://en.wikipedia.org/wiki/... and who gets that money?

21.5 million records lost . Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses.

Re:market forces

[tsqr]

I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."

Does this mean the CEO? CIO? or Uber (the whole corporation)

We need more prison space

Well, you could actually read the bill -- there's a link right in TFS. But you won't, so here's the relevant snippet from section 1041: Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both.

If you want to know what the range of fines is, go read the bill.

Re:market forces

[Nukenbar]

About the time of robo-dialing.

Re:market forces

[Solandri]

By themselves these pieces of information are quite harmless (though you had the option of paying the phone company for an unlisted number). Even a few of them together (name, address, phone number) is fairly innocuous.

What's changed is the ability to cross-reference massive amounts of data to build up a profile of each person. Name, address, phone number, age, gender, marital status, job, income, education, SSN, what kind of car you drive, what type of phone you have (and have had since 2005), how many credit cards you have, size of mortgage on your house, what games you like to play, what movies you like, shoe size, pics from your vacation this past summer, that you're expecting a 2nd child in 3 months, computer you use, the last 1000 websites you've visited, that you still wear superhero underwear, your furry fetish, etc. Suddenly this is no longer about an anonymous name in a phone book; your entire personal life and details are laid bare.

If the only data companies could collect were name, address, and phone number, I don't think people would be making a big deal about this (or said information being lost in a hack). But add in all that other stuff (some of which nobody should be allowed to collect in the first place) and you have a big problem. People are willing to give up some or most of this info for security (purportedly in the fight against terrorism), but not for Marketing uber alles. And they're especially pissed when a company collecting it for marketing purposes loses it.

Re:market forces

[Mitreya]

At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

1) I remember that I tried to not list my apartment phone number when I got an apartment in late nineties. It turned out that local phone company required $4/month (I think) to keep it off Yellow pages.

2) Also, since the autodialers are a thing (not to mention Fax autodialiers, that can annoy you for years!).

3) And then there is the "Terminator" risk (what if I have the same name as someone being assassinated from the future?)

Re:market forces

[JackieBrown]

You are a very good parrot. Now trying looking at who these companies' CEOs are actually donating to.

Re:market forces

[Green+Mountain+Bot]

Because they haven't had a majority since 2010, and for the six months they did have a filibuster proof majority (because the GOP refused to work with them on ANYTHING), they had other bigger matters on their plate.

Re:market forces

[barbariccow]

Wow, then whitepages.com owes a lot of money for having millions of entries for those first 3...

Re:market forces

[barbariccow]

"and of the fact that notification of the security breach is required"

Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...

Re:market forces

[barbariccow]

Nothing. The government is immune to its own laws.

https://en.wikipedia.org/wiki/Sovereign_immunity

Sovereign immunity, or crown immunity, is a legal doctrine by which the sovereign or state cannot commit a legal wrong and is immune from civil suit or criminal prosecution.

Re:market forces

[barbariccow]

Specifically to the US Federal Govt:

Federal sovereign immunity In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit. The United States has waived sovereign immunity to a limited extent, mainly through the Federal Tort Claims Act, which waives the immunity if a tortious act of a federal employee causes damage, and the Tucker Act, which waives the immunity over claims arising out of contracts to which the federal government is a party.[45] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued.[46] The United States Supreme Court in Price v. United States observed: "It is an axiom of our jurisprudence. The government is not liable to suit unless it consents thereto, and its liability in suit cannot be extended beyond the plain language of the statute authorizing it." Price v. United States, 174 U.S. 373, 375-76 (1899).

Re:market forces

[eaglesrule]

Perhaps when robocallers became a thing, and mass mailing became so inexpensive that stuffing people's mailboxes full of paper spam became commonplace. Technology allowed such public index to be readily exploited, and greed saw to it that it was.

Even with an unlisted number, I still have to set my phone to not ring unless the caller is already in my list of contacts. I'm sure it won't be long though till even those numbers are spoofed, since so much of our personal data is bartered and traded.

Re:market forces

[crmarvin42]

After watching Trump administration officials repeatedly claim collective amnesia of important meetings and events of public record, I'd like to see it strengthened so that the penalty can be applied if to CEO, CIO etc. regardless of whether or not there is any evidence that they were actually told. It's too easy to erect barriers to communication that ensure deniability in the event of a scandal. However, if they are accountable regardless then they will be incentivized to ensure communication of data breaches of this sort is simple, quick and possibly automatic somehow. It'll never happen, but we can dream.

Re:market forces

[Ol+Olsoc]

Same here.

I've actually wanted to post my call sign on sites like /. at various times through the years, but declined to do so because it's a single lookup on fcc.gov to find my personal details.

Yeah, me too. Don't want to offend the politically correct on both sides, so I don't post it.

Re:market forces

[tsqr]

"and of the fact that notification of the security breach is required"

Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...

So, you didn't read the bill. Every "covered entity that owns or possesses data containing personal information, or contracts to have any third-party entity maintain or process such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information".

One of the required policies and procedures is "The identification of an officer or other individual as the point of contact with responsibility for the management of information security."

So the "officer or other individual" identified as the "point of contact" has no plausible deniability with respect to knowledge that notification of the breach is required by law. You can be sure that one of this individual's first acts on being identified as the point of contact would be to familiarize everyone in IT with the law; you can also be sure that this individual's first act upon learning of a breach would be to spread that knowledge as widely as possible though the highest levels of the company. Any person fired for taking such action would have grounds for a pretty awesome lawsuit.

Re:market forces

[eric_harris_76]

Which is somewhat like something I dreamed about doing, until reality interfered: a supplement to the contract provided by those I deal with. Don't sign? I don't use your credit card or rental car or ISP services or whatever. (That's the point where reality intruded. They'd never go for it.)

Terms:

• You will take reasonable steps to safeguard data about me, my use of your product(s) and/or service(s), and all other information you gather related to me in the course of our relationship.
• You protect it from copying, destruction, modification, etc. by:
  • persons not authorized by you to access your computer systems.
  • governments. Exception: you may provide copies of specific information to a government, but only in response to a search warrant or subpoena from that government for the specific information revealed, and only that information. You must notify me of that search warrant or subpoena within 48 hours of your receipt of the demand for information. You must resist complying with any such demand if it is insufficiently specific or otherwise inappropriate, using every legal means at your disposal.
  • employees, contractors, and other persons granted access to your computer systems, in excess of the authority required to perform their work.
• You will require all persons granted access to your computer systems to first acknowledge that requirement to safeguard that data is a condition of their employment, contract, or other relationship with you.
• Failure to safeguard this information will results in penalties paid to me, according to the following schedule:
  • Password: $25
  • Security question (without associated answer): $10
  • Security question (with associated answer): $25
  • blah, blah, blah
• blah, blah, blah

Who do they think is going to enforce these laws?

[MillionthMonkey]

The federal agency responsible for enforcing these laws is the CFPB, which is getting shut down.

typo in the title

Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

Re:typo in the title

[walterhpdx]

Thank you. This always bugs me when I see it and the source ISN’T Limbaugh, et al.

Re:typo in the title

[omnichad]

And they're not college students, they're collegiate students.

No. You sometimes use nouns as adjectives. Democratic does not (always or typically) mean member of the Democratic Party.

Re:typo in the title

[Solandri]

They enjoy how it sounds like "rat."

Actually, in this case I suspect submitter used "Democrat" to make the subject line fit within slashdot's arbitrary length limit.

Re:typo in the title

[sabbede]

But as you said, "Democratic" is an adjective. Names, be they of people or groups, are proper nouns, no? Using the adjective means you are describing something about the nature of the subject, and in this case it would be redundant and ambiguous as all Senators are representatives in a democratic political system, also known as a Democracy.

Re:typo in the title

[cascadingstylesheet]

Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

Since both parties appropriated actual words and concepts for their titles, I'm not inclined to care much about this.

Republican senators are no less "democratic" than Democrat senators. Nor are they any less democrats, really, but the naming here prevents any perfect solution.

Re:typo in the title

[barbariccow]

That's not true at all. Just because there is AN adjective "democratic" does NOT mean you can just take a proper noun and use an adjective for an improper noun to describe it. If I work for a company called "Rainbow", you would say "Rainbow employees does X", not "Prismatic employees do x". A proper noun is a proper noun period.

Re:typo in the title

[omnichad]

The groups are called Democrats and Republicans.

And when you use it descriptively, you call them "Republican" senators. So why would the group name not apply?

So it is with "Democratic Senators" with the emphasis on the capital "D".

While it may be less common, both phrases have been in use since the 1800's, according to Google's Ngram viewer. That one is more common doesn't make the other wrong.

5 prison term for *individuals*

[RickRussellTX]

The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.

I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.

Re:5 prison term for *individuals*

Yeah, the following is particularly incomprehensible:
"... imposing a five year prison sentence on organizations caught concealing data breaches."

Organizations in the US are not subject to conviction and sentencing to prison. They get to continue living outside prison walls, to hold their meetings, to plot their little evils, to continue to exist. There are no prisons here, no Death Penalties here.
Criminal Enterprises like Enron and Equifax don't do Perp Walks. Oh, somebody may be chosen to do something symbolic in the way of penance, but companies just change their name if the publicity gets too bad. That's how the once widely reviled Retail Credit Company became Equifax in the first place. Enron is still around too, by the way. Lay did conveniently die before sentencing. Skilling did serve a greatly reduced sentence; he gets out in February 2019, still with a Net Worth in excess in the millions. Fastow is now a well paid "Motivational Speaker".
Enron is now a Shadow Holding Company. Azurix, its Water Services branch, is still in business. Prizma continues on as the Ashmore Group. Oil Fields and Pipelines don't just disappear in Bankruptcy. New names, the same old people.

US Business Law is defined by the concept of Limited Liability. This allows Corporations to do the most outrageous things, with little or no repercussions to those involved. "I didn't do it, the Corporation did. I was just following Orders." A couple of Executives of Enron went to prison, but the Owners? The Shareholders? Just how much Prison time did they serve? Lay and Skilling were paid very well, but that was because they were making much more money for others. The Shareholders were portrayed as Victims by some, but as long as they continued to get those juicy Returns, they didn't care how Enron did it. Their Liability was Limited to their own personal Financial losses. (I'm looking at you, University Of California. Your own Auditor pointed out the irregularities involved; she whistleblowed. The UC Board fired her.)

Well, we just have to figure out ways to imprison US Businesses who breach our Public Trust, after a fair Trial. This is civilized; perhaps they can reform themselves when inside. But if the Government can't find a way to do it, I see no reason why a little active Vigilanteism can't be indulged in.
String them up, hang them high.

Re:5 prison term for *individuals*

[aaarrrgggh]

Moreover, it is clearly too little, too late. After Equifax, the cat is out of the bag. Emphasis at this point needs to be shielding consumers from the costs and inconvenience of identity theft.

Re:5 prison term for *individuals*

[SlaveToTheGrind]

I agree the imprisonment clause of the law would ultimately be construed to mean prison sentences for individuals, but I think it's an open question which individuals that would turn out to be in a corporate setting.

Section 1041(a) says:

(a) IN GENERAL.—Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both.

So far so good, but then Section 1041(b) explicitly defines what constitutes a "person" subject to the above punishment: ‘

(b) PERSON DEFINED.—For purposes of subsection (a), the term ‘person’ has the same meaning as in section 1030(e)(12) of this title.

That's referring to already-existing 18 U.S.C. 1030(e)(12), which says:

the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity."

So if one or more people in a corporation know of a breach, know the corporation needs to disclose it, but conceal it, the corporation has violated 1041(a). But now which individuals in the corporation go to jail -- those who actually knew about and concealed the breach, the corporation's directors and officers, or any/all of the above?

If they meant for potential jail time to apply only to those who actually knew and were involved in the concealment, a narrower definition of "person" covering only human beings would have done just fine. The definition as it stands leaves a huge gray area. If the intent here is to make the directors/officers hyperactive about security to try to prevent going to jail for something they didn't even know about, this sort of technique may succeed.

Re:5 prison term for *individuals*

[apoc.famine]

And we all know how that will work. We'll establish breach@ourcompany.com as the official place to notify the people who need to know. All employees should email any breach information there. Brian is responsible for monitoring that email address. Now we lay off or reassign Brian.

Someone keeps an eye on it semi-regularly. In a meeting CIO is told about the breach, says, "Did you email our breach contact?" Yes? I'm off to play golf.

5 year prison sentences...

You know no MBA will ever serve one of those, but some poor code monkey who the MBA didn't listen to when he recommended tighter security probably will!

Democrats pretending to not be the political wing of Goldman Sachs is just a joke. Fuck the Republicans too, but at least they're open about serving the interests of fossil fuel.

Re:5 year prison sentences...

[uvajed_ekil]

Wow, the Russian AC crowd is out in force here.

Yeah, sow the seeds of apathy, demonize American politics in general, divide and conquer.
Wait, is Bannon a Russian agent, too? He seems to be using the same strategy as the Kremlin. Hmm...

Re:5 year prison sentences...

[sgtsquid]

Thank you for helping us Correct The Record.

Re:5 year prison sentences...

[dcw3]

You do realize that MBAs are a dime a dozen. My wife has two of them, and my 26 yr old kid was just accepted into an MBA program. More likely you meant C-Levels.

It's highly doubtful that any "code monkey" (like my former self) will ever do time for any law like this. That usually flys internally when a company wants to lay blame, but any prosecutor isn't going to bite on that.

Sheep in wolf's clothing from big corporate view

[RhettLivingston]

Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.

I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.

In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.

Re:Sheep in wolf's clothing from big corporate vie

[SteveSgt]

I've always argued that all fines for any offense should not be fixed monetary amounts, but rather defined as some number of hours or days of the convict's income, depending on the severity of the crime, and calculated accordingly. Let that same rule and calculation apply to corporations as well.

Perhaps a speeding ticket would cost a day's pay: $80 for some people, $80,000 for others. Big corporate misdeeds could require forfeiture of weeks or months of a company's income.

Re:Sheep in wolf's clothing from big corporate vie

[PopeRatzo]

but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million.

That's $5 million per case, the way I see it. I good DA could make every single person who's data has been stolen an individual case.

did they include themselves?

[superwiz]

Are politicians and political organizations excluded from the requirement?

Re:did they include themselves?

[BiggoronSword]

Agreed. There have been cases where it was revealed that government data was hacked, but did not notify victims of the breach.

Just contact law enforcement

[AHuxley]

As long as law enforcement was contacted any new protections will just go away as cyber investigative secrecy covers the data breaches.
Federal protection if code litter can be found with parts of any foreign language.
Welcome that national security letter and the full protection it offers.

Re:Sheep in wolf's clothing from big corporate vie

Many times this.

Setting a fixed price makes it a fixed-price-liability. Actual damages might differ wildly from these numbers.
I'm all for fining companies that screw up their security and do not come clean about it. But damage that has to be recompensed due to a leak should be calculated from actual (or approximated) damages on a case-by-case basis.

I prefer the dutch (and mostly european) approach more.
After a breach:
- Local (national) privacy authority investigates company
- Privacy authority fines company if it screwed up. (up to 20M / 4% global revenue)
- Privacy authority publishes findings of what went wrong. Public as in I can just download and read them for free. (For the dutchies
- I can privately (or in a class action) sue the company for damages. The findings of the privacy authority will make winning that a no-brainer.

Who gets imprisoned? You can only imprison people

[olddoc]

I couldn't get the text of the law to load. Does the CEO go to prison? Does the head of IT go? I think this part of the law would be hard to write and implement. I agree with another poster that fines need to be high enough to be noticed by larger corporations.

Huh?

[dcw3]

"Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal."

I'm sorry, but which special interests exactly are opposed to this? Is there some sort of hacker union lobbying against it?

I rather see a different bill

[MoarSauce123]

Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.

Re:I rather see a different bill

[dcw3]

That all sounds fine, and I agree that it generally would be double plus good, but the implementation would be hellish...

Define "strictest"
Who gets to decide what are the "most modern security measures"?
When do they become obsolete?
How long do they have to transition when to a new measure before getting in trouble?
Who certifies the "independent third party", and how much is an annual review gonna cost my small mom & pop business?

"Democrat" Senators?

[sphealey]

"Democrat Senators"? So the Slashdot headline writers are now following the lead of Jesse Helms and Rush Limbaugh in attempting to change proper naming conventions to serve their own political ends?

Re:"Democrat" Senators?

[sabbede]

Well, since "Democratic" is an adjective, "proper" naming convention would preclude its use as a noun. Democrat and Democracy are nouns, words that identify objects. Democratic describes such objects, but doesn't specify or identify. The Senate is a democratic body, so the adjective describes it and all its members, be they Democrats or Republicans. Note that we do not say "Democratics and Republicans".

Re:"Democrat" Senators?

[JackieBrown]

Yes! This is what is important! You hit the nail on the head.

Are you fucking kidding me?

Besides people like you, no one sees the term Democrat as any more insulting than the word Democratic. The words are interchangeable to non-partisian people.

Re:"Democrat" Senators?

[Green+Mountain+Bot]

Grammar fail. In the phrase "Democratic Senator", "Senator" is a noun and "Democratic" is an adjective describing that noun. In the phrase "be they Democrats or Republicans", "Democrats" and "Republicans" are nouns, not adjectives. This can more easily be seen if you use the analogous phrase "whether they are Democrats or Republicans", in which case "They" is the subject (inherently a noun) and "Democrats or Republicans" is the object (also inherently a noun).

Re:"Democrat" Senators?

[sphealey]

Which is why the hard Radical Right spends so much time trying to forceably change the proper name of their opponent: because it is meaningless. Got it.

Re:"Democrat" Senators?

[JackieBrown]

You let things bother you. Some calls me Dave instead of David and I don't freak out.

Re:"Democrat" Senators?

[sabbede]

That's... exactly what I said. "Democrat Senators" refers to specific members of the Senate that are also Democrats. "Democratic Senators" refers to members of the Senate that are democratic, which is terribly ambiguous considering that the Senate is a democratic body at the heart of a democratic system of government.

Re:"Democrat" Senators?

[Green+Mountain+Bot]

What I said is not what you said. The word before "Senators" is an adjective, not a noun. That means the proper word to use is the adjective form of "Democrat", which is "Democratic", not "Democrat". And "Democratic" is not the same thing as "democratic". The former refers to things having to do with the Democratic party, whereas the latter refers to things having to do with democracy in its various forms. The phrase "Democratic Senators" is not ambiguous in the least. You'd have to be either willfully obtuse or hopelessly ignorant to think so.

Re:Sheep in wolf's clothing from big corporate vie

You'd have to hit a company like Apple with $1 billion to even get noticed.

Agree with parent. The wording of the bill says "intentionally and willfully conceals the fact of the breach of security". A good attorney will be able to argue it was not intentional nor willful in many cases - such as Equifax. Never attribute to malice what can be attributed to incompetence as the old saying goes.

What we need in the US is something similar to what Europe is doing. GDPR regulations make it as high as "up to 4% of the annual worldwide turnover of the preceding financial year". That gets peoples attention REAL quick.

You have 1 of 3 choices at that point:
1) Meet compliance and secure your data
2) Stop doing business in Europe
3) Pay the penalty every time you get caught

...easy decision to make.

What?

[Kierthos]

So, let me see if I have this straight...

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,"

....and....

If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

Yeah, I'm sure no organizations will abuse that gray area at all.

Get it right

[tadas]

DemocratIC Senators Introduce...

There is no such thing as the "Democrat" party. It's the "Democratic" party. Using "Democrat party" is just a way for Republic politicians to irritate Democrats.

Please...PLEASE

[p4nther2004]

Do NOT give them ideas.

Management just heard: "I get to keep everyone on premises (and working) 24x7? Where do I sign up?"

The government levying fines

[rsilvergun]

Isn't a market force. A market force is when you don't buy from somebody because of their poor security. You're not going to get anywhere convincing the other side with that argument. Somehow we've got to convince them there are some things the market alone can't do. In my experience it's a religion for a lot of people in that they take it on faith. The way I was taught the virtues of the market in grade school certainly made it seem so. No discussion of competing solutions just a blanket statement of 'this is how economies are'.

Re:Introducing a Bill

[desdinova+216]

you realize that we're in the situation we're in because of people just looking to see if there's a (D) or (R) after a candidate's name.

Empowering the hackers

[holophrastic]

So, riddle me this. Doesn't this allow very amateur hackers to cause major industry upsets? I can walk into just about any office building, and grab some random private information by looking over a secretary's shoulder. I then tell the company (anonymously, sure) that I stole one customer's information. The company then needs to announce to the world that they've been breached.

So little old me, with a few minutes per day, can cause a big corporate to announce a breach of 1 customer every single day.

Sounds like a blaming-the-victim kind of thing.

Re:Empowering the hackers

[holophrastic]

If someone breaks into my home, and steals my neighbour's trinket, I'm still the victim of a home invasion. So the company is also a victim.

Privacy screens and turning the monitor doesn't stop me, as a public customer, from suddenly walking behind the secretary, head-on, and taking a photograph as I walk by.

"Sir! You aren't allowed to be back here."
"Okay. Bye."

Way too late.

Are you going to call the mirror on the other side of the room a zero-day bug? What about the wall of glass windows after dark?

Re:Sheep in wolf's clothing from big corporate vie

[RhettLivingston]

Totally agree. The GDPR appears to be much more consumer oriented. This one has all the right words as to what to penalize, but that is just because it needs to make sure that it is overriding all of the right state's laws. The purpose of this bill appears to be to override the state's rights to determine their own penalties and replace that with a maximum that is lower than some of them might impose.

Ironically considering that it came from Democrats, I have similar issues with the way this affects the states to the way the repeal of net neutrality affects them.

Why else would the feds pass a law that puts a maximum on the penalty on civil suits by the attorneys general of the states if not to protect a corporate bad actor from the just decisions of a jury? And why make that maximum a fixed dollar amount instead of a percentage of earnings if not to protect mega corporations more than the little guy? These penalties could put a startup out of business quick while being nothing but a bump in the road on the big guys.

Re:Sheep in wolf's clothing from big corporate vie

[RhettLivingston]

I agree that this codifies what appear to be protections. But it then turns around and puts a maximum penalty in place that is too low. This gives it the appearance of codifying the protections just for the sake of overriding the states' existing codes with a maximum that is less than what states might want to impose in order to protect the companies from consumer rights oriented states.

We'd be far better off to just copy the GDPR. This would also keep things consistent. Many of the possible bad actors here are international.

Re:Sheep in wolf's clothing from big corporate vie

[Eldaar]

I like this idea because the whole point of having to pay a fine is to discourage the bad behavior. If a wealthy person has to pay a tiny fine, that does very little to discourage the bad behavior.

As you say, fines should be proportional, not fixed.

Opposite Effect

[barbariccow]

If this goes into law... what if they don't discover the breach until someone tries to sell the database they lifted? This is perfect for criminals. Now, wait 31 days before selling the database. Then, in order to avoid jailtime, the companies are FORCED to spend funds to cover up the fact that they were breached and NOT notify customers. Bravo.

How do you incarcerate a corporation?

[AnalogDiehard]

The bill would impose a five year prison sentence on "organizations". Just how do Democrats expect to incarcerate a corporation?