Slashdot Mirror

← Back to Stories (view on slashdot.org)

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com)

Posted by BeauHD on from the Newton's-third-law dept.

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

10 of 162 comments (clear)

  1. market forces by supernova87a · · Score: 5, Interesting

    I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.

    As in, let the penalty market for breaches of data be:
    $1 per name
    $2 per address
    $3 per phone number
    $10 per SSN
    And multiply those figures for combinations thereof.

    Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.

    1. Re:market forces by h8sg8s · · Score: 5, Insightful

      Excellent idea. Companies should also directly bear the cost of damage and repairing credit.

      --
      Organization? You must be joking..
    2. Re:market forces by gumbi+west · · Score: 5, Funny

      Yikes, a phone book would cost millions!

    3. Re:market forces by thegarbz · · Score: 3, Interesting

      Yikes, a phone book would cost millions!

      You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

    4. Re: market forces by bsDaemon · · Score: 3, Interesting

      Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

      But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

    5. Re:market forces by Solandri · · Score: 4, Insightful

      By themselves these pieces of information are quite harmless (though you had the option of paying the phone company for an unlisted number). Even a few of them together (name, address, phone number) is fairly innocuous.

      What's changed is the ability to cross-reference massive amounts of data to build up a profile of each person. Name, address, phone number, age, gender, marital status, job, income, education, SSN, what kind of car you drive, what type of phone you have (and have had since 2005), how many credit cards you have, size of mortgage on your house, what games you like to play, what movies you like, shoe size, pics from your vacation this past summer, that you're expecting a 2nd child in 3 months, computer you use, the last 1000 websites you've visited, that you still wear superhero underwear, your furry fetish, etc. Suddenly this is no longer about an anonymous name in a phone book; your entire personal life and details are laid bare.

      If the only data companies could collect were name, address, and phone number, I don't think people would be making a big deal about this (or said information being lost in a hack). But add in all that other stuff (some of which nobody should be allowed to collect in the first place) and you have a big problem. People are willing to give up some or most of this info for security (purportedly in the fight against terrorism), but not for Marketing uber alles. And they're especially pissed when a company collecting it for marketing purposes loses it.

  2. typo in the title by Anonymous Coward · · Score: 4, Informative

    Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

  3. 5 prison term for *individuals* by RickRussellTX · · Score: 5, Interesting

    The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.

    I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.

  4. Sheep in wolf's clothing from big corporate view by RhettLivingston · · Score: 5, Interesting

    Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.

    I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.

    In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.

  5. I rather see a different bill by MoarSauce123 · · Score: 4, Interesting

    Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.