Slashdot Mirror

← Back to Stories (view on slashdot.org)

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com)

Posted by BeauHD on from the Newton's-third-law dept.

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

26 of 162 comments (clear)

  1. market forces by supernova87a · · Score: 5, Interesting

    I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.

    As in, let the penalty market for breaches of data be:
    $1 per name
    $2 per address
    $3 per phone number
    $10 per SSN
    And multiply those figures for combinations thereof.

    Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.

    1. Re:market forces by h8sg8s · · Score: 5, Insightful

      Excellent idea. Companies should also directly bear the cost of damage and repairing credit.

      --
      Organization? You must be joking..
    2. Re:market forces by gumbi+west · · Score: 5, Funny

      Yikes, a phone book would cost millions!

    3. Re:market forces by omnichad · · Score: 2

      Even under HIPAA, those aren't considered PHI

      That's because it's not HI (Protected Health Information). It doesn't mean it shouldn't be protected - just that it's not covered by a law specifically about Helath Information

    4. Re:market forces by thegarbz · · Score: 3, Interesting

      Yikes, a phone book would cost millions!

      You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

    5. Re:market forces by Smidge204 · · Score: 2

      The very fact that it would require a government, or (government sanctioned/appointed) agency to assess and enforce such penalties means it is not a "market approach."

      But that doesn't mean I disagree; if anything the fines should be at least 100x higher, maybe even 1000x since there's an almost certainty that penalties will settle for pennies on the dollar anyway.
      =Smidge=

    6. Re: market forces by bsDaemon · · Score: 3, Interesting

      Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

      But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

    7. Re:market forces by Ol+Olsoc · · Score: 2

      Yikes, a phone book would cost millions!

      You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

      Yup, As a Ham, I have my name, address license level and other information on me on many publicly accessible databases. It's been that way since radio Amateurs existed.

      But today, we are starting to see a few idiots demanding the have their identity kept as a secret. They are told to get a different hobby/avocation. Might as well demand to not have license plates on their cars. Whackers.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    8. Re:market forces by tsqr · · Score: 2

      I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."

      Does this mean the CEO? CIO? or Uber (the whole corporation)

      We need more prison space

      Well, you could actually read the bill -- there's a link right in TFS. But you won't, so here's the relevant snippet from section 1041: Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both.

      If you want to know what the range of fines is, go read the bill.

    9. Re:market forces by Solandri · · Score: 4, Insightful

      By themselves these pieces of information are quite harmless (though you had the option of paying the phone company for an unlisted number). Even a few of them together (name, address, phone number) is fairly innocuous.

      What's changed is the ability to cross-reference massive amounts of data to build up a profile of each person. Name, address, phone number, age, gender, marital status, job, income, education, SSN, what kind of car you drive, what type of phone you have (and have had since 2005), how many credit cards you have, size of mortgage on your house, what games you like to play, what movies you like, shoe size, pics from your vacation this past summer, that you're expecting a 2nd child in 3 months, computer you use, the last 1000 websites you've visited, that you still wear superhero underwear, your furry fetish, etc. Suddenly this is no longer about an anonymous name in a phone book; your entire personal life and details are laid bare.

      If the only data companies could collect were name, address, and phone number, I don't think people would be making a big deal about this (or said information being lost in a hack). But add in all that other stuff (some of which nobody should be allowed to collect in the first place) and you have a big problem. People are willing to give up some or most of this info for security (purportedly in the fight against terrorism), but not for Marketing uber alles. And they're especially pissed when a company collecting it for marketing purposes loses it.

    10. Re:market forces by Green+Mountain+Bot · · Score: 2

      Because they haven't had a majority since 2010, and for the six months they did have a filibuster proof majority (because the GOP refused to work with them on ANYTHING), they had other bigger matters on their plate.

    11. Re:market forces by barbariccow · · Score: 2

      Wow, then whitepages.com owes a lot of money for having millions of entries for those first 3...

  2. typo in the title by Anonymous Coward · · Score: 4, Informative

    Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

    1. Re:typo in the title by barbariccow · · Score: 2

      That's not true at all. Just because there is AN adjective "democratic" does NOT mean you can just take a proper noun and use an adjective for an improper noun to describe it. If I work for a company called "Rainbow", you would say "Rainbow employees does X", not "Prismatic employees do x". A proper noun is a proper noun period.

  3. 5 prison term for *individuals* by RickRussellTX · · Score: 5, Interesting

    The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.

    I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.

  4. Sheep in wolf's clothing from big corporate view by RhettLivingston · · Score: 5, Interesting

    Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.

    I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.

    In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.

  5. Re:5 year prison sentences... by sgtsquid · · Score: 2

    Thank you for helping us Correct The Record.

  6. Re:Sheep in wolf's clothing from big corporate vie by SteveSgt · · Score: 2

    I've always argued that all fines for any offense should not be fixed monetary amounts, but rather defined as some number of hours or days of the convict's income, depending on the severity of the crime, and calculated accordingly. Let that same rule and calculation apply to corporations as well.

    Perhaps a speeding ticket would cost a day's pay: $80 for some people, $80,000 for others. Big corporate misdeeds could require forfeiture of weeks or months of a company's income.

  7. Re:Sheep in wolf's clothing from big corporate vie by PopeRatzo · · Score: 2

    but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million.

    That's $5 million per case, the way I see it. I good DA could make every single person who's data has been stolen an individual case.

    --
    You are welcome on my lawn.
  8. I rather see a different bill by MoarSauce123 · · Score: 4, Interesting

    Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.

    1. Re:I rather see a different bill by dcw3 · · Score: 2

      That all sounds fine, and I agree that it generally would be double plus good, but the implementation would be hellish...

      Define "strictest"
      Who gets to decide what are the "most modern security measures"?
      When do they become obsolete?
      How long do they have to transition when to a new measure before getting in trouble?
      Who certifies the "independent third party", and how much is an annual review gonna cost my small mom & pop business?

      --
      Just another day in Paradise
  9. Re:"Democrat" Senators? by sabbede · · Score: 2, Interesting

    Well, since "Democratic" is an adjective, "proper" naming convention would preclude its use as a noun. Democrat and Democracy are nouns, words that identify objects. Democratic describes such objects, but doesn't specify or identify. The Senate is a democratic body, so the adjective describes it and all its members, be they Democrats or Republicans. Note that we do not say "Democratics and Republicans".

  10. What? by Kierthos · · Score: 2

    So, let me see if I have this straight...

    "We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,"

    ....and....

    If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

    Yeah, I'm sure no organizations will abuse that gray area at all.

    --
    Mr. Hu is not a ninja.
  11. Re:Introducing a Bill by desdinova+216 · · Score: 2

    you realize that we're in the situation we're in because of people just looking to see if there's a (D) or (R) after a candidate's name.

  12. Re:Sheep in wolf's clothing from big corporate vie by RhettLivingston · · Score: 2

    Totally agree. The GDPR appears to be much more consumer oriented. This one has all the right words as to what to penalize, but that is just because it needs to make sure that it is overriding all of the right state's laws. The purpose of this bill appears to be to override the state's rights to determine their own penalties and replace that with a maximum that is lower than some of them might impose.

    Ironically considering that it came from Democrats, I have similar issues with the way this affects the states to the way the repeal of net neutrality affects them.

    Why else would the feds pass a law that puts a maximum on the penalty on civil suits by the attorneys general of the states if not to protect a corporate bad actor from the just decisions of a jury? And why make that maximum a fixed dollar amount instead of a percentage of earnings if not to protect mega corporations more than the little guy? These penalties could put a startup out of business quick while being nothing but a bump in the road on the big guys.

  13. Re:"Democrat" Senators? by Green+Mountain+Bot · · Score: 2

    Grammar fail. In the phrase "Democratic Senator", "Senator" is a noun and "Democratic" is an adjective describing that noun. In the phrase "be they Democrats or Republicans", "Democrats" and "Republicans" are nouns, not adjectives. This can more easily be seen if you use the analogous phrase "whether they are Democrats or Republicans", in which case "They" is the subject (inherently a noun) and "Democrats or Republicans" is the object (also inherently a noun).