Slashdot Mirror
Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches (theverge.com)
On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
Roll it up in online and maybe expanded individual privacy rights? The right to be forgotten? Banning shadows accounts (facebook) on people that never even joined your system/applicaiton/social media...?
Now something like that might actually be healthy and helpful to the average US citizen....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Awesome. Somebody needs to be held responsible.
Time is what keeps everything from happening all at once.
You can't treat us like people!
This won't pass anyway, but even if it did what's really going to change if we can't enforce existing laws against executives when they perpetuate fraud or break other laws?
If you really want to make companies care about security and data privacy, make it easier for consumers to sue companies in civil court for these kinds of breaches. Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.
Meet the CDBSO: Chief Data Breach Sacrificial Officer! Selected from the working peons, the CDBSO is catapulted from his labors in the basement IT room to the top floor with a plush closet and low 5 figure salary! Should a data breach occur, the CDBSO will lead the charge... sheet in a federal indictment.
I browse on +1 so AC's need not respond, I won't see it.
it about time someone proposed a bill like this.
They hold more data on people than anyone on government computers. and they have proven they can be hacked. (OPM, etc.)
They should be required to take just as much care of it than any business. And they should face the same penalties. Maybe even retired Execs on whose watch systems stagnated for 10 or more years.
I don't really know, but maybe the idea is to motivate the execs to stop cock-blocking IT dept's security budget.
All successful legislation has some sort of memorable/cute/catchy acronym. "CEA" just doesn't cut the mustard. Something like the Corporate Responsibility After Pwnage Act would have had a much better shot.
So you're telling me a CEO who is sitting on top of a corporation, who is multiple layers of operations removed is to be held responsible for data leaks?
Yes.
What about the people who are supposed to be applying the privacy policies?
what about them? They ultimately take their orders from the CEO.
What about the engineers and technicians?
Fuck you you snivelling little shitstain.
You think the technicians with the low salaries right at the bottom are somehow when the "profits first" CEO is puttng on all the pressure to cut corners etc? Fucking corporate apoligist. Of course you want the little guy to get it in the neck while the big rich man gets off.
Screw you.
There's nothing in it for the CEO if there is a security breach.
Are you simple?
Yes, yes you are.
There's money in it for the CEO to ruthlessly cut expenses to maximise profits.
SJW n. One who posts facts.
Is this about breaches or fraud? If breaches, sure, any large retail company will be subject to breaches. But fraud? Start with the big banks that foreclose on houses that aren't theirs, open unrequested accounts, or launder money for drug dealers. The first two at least meet that category.
Do you know what "executive" means? Do you know why they make hundreds of times more money than the average developer? It's because they're supposed to be responsible. Of course you should hold the executive responsible for these breaches. They were the ones in charge.
You are welcome on my lawn.
Exactly, the rich one who has the power to tell the not rich one "forget about security, just get it done." Next time, maybe think about the topic for 10 literal seconds before posting.
Terrible analogy. They're not stealing the homeowner's stuff, they're stealing OUR stuff.
A closer analogy would be if someone broke into Public Storage and my stuff got stolen. If it could be proven that Public Storage was negligent (didn't spend money on increased security, even after being warned thieves where in the area), then yes, they should be charged with breach of conduct.
This analogy is closer, but still not all the way there, because we're dealing with a Public Storage that's somehow storing my stuff even when we don't sign up for it.
She passed the bar in 1976. That was before many people on here was born. She has taught at several universities including the University of Pennsylvania Law School as a full professor and Harvard Law School.
You may not agree with her politics, but you are being dishonest to call her incompetent.
Ninjas don't carry tic tacs
EU did this with their data protection act. The result was that every time you opened Google or any other Google service that a banner popped up telling you to authorize them to do whatever they were doing without your consent to that point. If you didn't confirm, you couldn't use any Google service anymore. Imagine telling that to your boss if work needs to be done...
In this area she is "incompetent" here expertise is in law and finance, she knows nothing about technology. She is right about executives and making them culpable and there are all kinds of areas to do that but without evidence of negligence this isn't one of them.
It is impossible to completely prevent a data breach and coming as close to it as you can would make it impossible for a company to actually operate. Including, perhaps especially, the rest of the technology pieces. Many companies are dangerously close to the breaking point as it is.
There is only one solution to the problem, back off your technology massively and rebuild your structure from the ground up with an eye on optimizing the places it makes the most sense with technology. Stay away from technologies that make tech resources cheaper, your tech resources will be the ones who want them because they make their jobs easier. Just hire more tech people instead, they won't all need to be top dollar top end resources. Just hire a couple of those guys and lots of high school grads to train on the job. Minimize code, intelligent, dynamic, programmable, anywhere and everywhere you can and absolutely minimize in house code. Where you do need it make it open source.
Every piece of tech in your organization adds linearly to the overall attack surface of your organization. Every layer of house developed code (or configuration flexible enough it might as well be a script or code) easily adds an order of magnitude. There are some things you can do to protect that attack surface but remember they add at minimum linear attack surface of their own and the more dynamic and flexible they are the more they add. Intelligent systems are even worse because they don't follow the predictable and secure patterns your work force follow. For the most part solutions to "protect" you are snake oil.
And whatever you do, for the love of all that is holy stay the fuck off the cloud, devops, and if you can't avoid hiring any devs at all don't even let them use any library less than 7yrs old or anything the actual admins say is a bad plan and don't deploy their code until it has been tested in dev and staging for at least 6 months and then phase in per admin and security requirements.
How about instead she proposes the "Politian Accountability Act"?
"The Politician Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" politicians when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when politicians oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
Wow someone has some real anger issues,
Not really, I'm just tired of shitheads advocating to fuck over the people with the least power. Congrats, you're one of those shitheads.
3) The CEO goes to jail, perhaps their family is destroyed, etc. That will show them.
Yes, the CEO put profits above user data. That's a crime and he went to prison.
4) Company XYZ still has the same people in charge of security. The ones who were responsible for the security holes still work there.
did the CEO increase security's budget by enough? Nope. So he's the one ultimately at fault.
But by golly, we got that CEO. That will learn them. /em.
Yeah it will. te next slew of CEOs will think "hmm maybe I could make a bit lees money and NOT got to prison. How about that?"
And then fund security properly.
Problem.
solved.
SJW n. One who posts facts.
She LIED about her heritage to take advantage of affirmative action laws. Should be disqualifying for being president or Senator right there. It disqualifies her from every making any moral argument against me or what I do.
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to
prevent or remedy violations."
So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.
Ninjas don't carry tic tacs
Yes, the CEO is responsible.
That does not mean that all CEO's are cheats.
But, a company that is expected to abide the law and whatever model of decency and good citizenship is expected, it is the CEO who oversees all that the company does to be in compliance.
CEO's can err by acts of commission, the evildoers.
They can err by acts of omission, failing to keep the company in line even if it was all an honest mistake or oversight.
The CEO is responsible for what the company does, just like the captain of ship.
If a boat captain runs his ship aground, the Navy doesn't say,"gee, we know you didn't mean to run over the beach and boardwalk, so we'll let bygones be bygones." That is what responsibility is about.
Unless there is some system of carrots and sticks, incentives to keep them on track and doing the right thing, then the evildoer acts of commission have a greater risk of rising.
The CEO is always the ultimate responsible party, and the bigger the breach of decency, public perception, corporate stewardship, the trust of their customers-shareholders-employees, and compliance with the law, then the harder they should fall or be reprimanded.
The maintenance people, the secretaries, the engineers and technicians - they are not the problem. It is odd that you would think so for even a moment.
Poorly performing and corrupt CEO's and corrupt boards of directors, those are the problem.
SARBOX makes executives personally responsible for the accuracy of the financial data they put out. This has made them get serious about the source of that financial data within their own company. Maybe a bill like this would help with privacy the same way.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
You are saying lying should disqualify someone for being president or senator? Really? Is that what you are saying?
If so, you'd best address the gigantic orange elephant in the room.
This is the nature of the right these days. They are the party of morals, for other people... Trump is going to be at false or misleading claim 10000 fairly soon here, and they don't bat an eye, they just make up some story about how heaven works in mysterious ways and he is the chosen one to fulfill those ways.
Ain't it convenient when you can just:
1. Start with a goal.
2. Support any actions taken to reach that goal as some convoluted will of god thing.
Really, if you have to apply, but its okay because, it probably isn't okay...
1. She did not use her heritage to gain admittance to any school. That's a lie.
2. Using the word "Pocohantas" is, indeed racist.
3. The free market is not the guiding principle of our entire society. We need regulation. the free market isn't a cure-all.
4. Yes, company leaders do need to be exposed to personal liability. If not, then who is held accountable for a crime by a large company? The millions of stockholders? Should we arrest everybody who owns a share of stock of a company when that company breaks the law? I'd bet that 99% of people with an IRA or 401(k) own shares of Google, Facebook, etc, at least indirectly.
I don't respond to AC's.
You care about privacy to protect what you have, and what you have gets less and less every year.
This isn't a shot at tech companies. She just did that so it's harder to criticize her (after all, the tech companies just love liberals). No, this is a shot at the folks who crashed the economy in 2008. After that working class Americans lost trillions in wealth. That wealth wasn't destroyed, it was pocketed by the rich. It was the single biggest wealth transfer in my life. Maybe in history.
The trouble here is we focus to much on how Facebook knows what color car we like best or our favorite restaurant and not enough on the massive wealth grab that happens every 10 years when corrupt businessmen and politicians crash the economy and then buy up our assets at rock bottom prices while we're laid off.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
it applies across the board, and includes lots more provisions to punish corrupt CEOs like the folks who crashed our economy in 2008.
The reason she's focused on tech firms is that the media narrative is that the tech firms and the Democrats are in cahoots, so that anything she proposes to regulate to general businesses would be framed in that narrative ("why are you going after such and such and leaving Silicon Valley alone Ms Warren, hmmmm?"). This is a smart political move to defang one of the chief distracting narratives that would normally be used against her. It hurts the bill a little bit with techy nerds, but we're a tiny, tiny minority, and a lot of us (like me) see what she's doing there.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Don't you mean origin elephant?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If you read the proposed law (https://www.warren.senate.gov/imo/media/doc/2019.4.2%20Corporate%20Executive%20Accountability%20Act%20Text.pdf) it "establish criminal liability for negligent executive officers of major corporations" who "has the responsibility and authority to take necessary measures to prevent or remedy violations."
So, if a corp has been found to be negligent in its handling of data, they aren't just fined, but the executives responsible can be sent to prison. She isn't an IT security expert. Neither are those executives. Still, there are industry standards. We would hold executives who manage our water supply responsible if it were sub-standard and they failed to correct the situation.
One of the best peices of advice I ever got was that if you want to fix a problem, you make it the problem of the person who can fix it.
Right now, there really is no actual punishment. People go tsk, tsk, a janitor gets fired, and it's onto where the stockholder's meeting is going to be held discussions.
If the guy at the top is looking at some serious punishment, he or she will make certain that data security is taken seriously.
Most all of these breaches have been over seriously simple stuff that never should have happened.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
That's not what happened here, but you do seem to grasp the correct usage of a red herring, you knob.
You are welcome on my lawn.
It's better to hold the executive responsible rather than the managers or developers who chose poor security practices because s/he's the rich one!
Has nothing to do with money. Has everything to do with who holds the power. Managers? not much. Developers, none. CEO? they want to protect those millions they make.
We've become so weird in this country. The part that is related to money is that with a big paycheck should come big responsibility. Yet we go in the opposite direction, making that big paycheck owner absolved and immune from all guilt.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The CEO is responsible for what the company does, just like the captain of ship.
Nice tagline, what does it actually mean? Every Captain says they are responsible for their ship.
If a boat captain runs his ship aground, the Navy doesn't say,"gee, we know you didn't mean to run over the beach and boardwalk, so we'll let bygones be bygones." That is what responsibility is about.
Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.
Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been court-martialed was cleared.
Some captains (Schettino, Avranas) deserved much worse than they got.
Facts matter not nonsensical abstract ideology.
The CEO is always the ultimate responsible party, and the bigger the breach of decency, public perception, corporate stewardship, the trust of their customers-shareholders-employees, and compliance with the law, then the harder they should fall or be reprimanded.
Fuck that the CEO should be liable for their actions not for what happens in the abstract.
My god we are talking about people being held blanket liable for the criminal acts of completely unrelated people, criminal organizations or governments committing illegal acts working against the interest of a corporation. Where does the fucking madness end? You attack me and I go to jail? Give me a fucking break.
What is especially disgusting about this legislation is the blanket conversion of civil liability into criminal liability without regard for what it even is.
Why should how much a company makes dictate CRIMINAL liability of executive officers?
Because such a company has sufficient resources to actually fix the security holes identified by their security team.
Also, plain-ol' negligence gets the job done on smaller companies. Larger ones just factor the cost of fines and/or lawsuits into the decision.
Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa?
Such line-crossing is not all that common. And you have to have some line to differentiate between a Mom-and-Pop and Equifax.
Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?
The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business. Executives at larger companies (there's a reason I cited Equifax above) aren't.
Leave it to the lawyers to keep trying to make everyone liable for something even if they had nothing to do with it.
You should probably learn a bit about the concept of Negligence before commenting.
"We got hacked" isn't negligence. "Sir, There's a massive security hole here!", "I don't want to spend the money to fix it" is. The executives are in charge of making such a decision. That's why they get the big bucks.
Nice a law that turns arbitrary uncategorized unspecified civil violations into criminal ones.
Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.
This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.
So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.
The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.
What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?
The lawsuits are ineffective at getting very large corporations to care.
Let me put it this way: In a lawsuit, you can recover the value of what you lost. Someone destroys your car, you can sue and get the value of your car.
I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.
I am not a party to any transactions where that data has value (Equifax and it's customers), so I'm not out any money. "Someone may commit credit card fraud in the future" is not a basis for winning a lawsuit. If someone actually did commit credit card fraud, I would have to prove the data came from the Equifax hack and not, say, the Blue Cross hack where my data was also stolen. And that's not possible due to all the middlemen involved in getting that data to the people who actually commit fraud.
At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.
Which means civil liability provides exactly zero disincentive to Equifax's executives.
Negligence is whatever you can convince a judge and or jury negligence is.
Nope, it has an actual legal definition.
You're a big company you get hacked you get fined and sued no matter what the facts of the situation is.
And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.
Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)
Generally, financial crimes don't involve prison time because there's no physical harm done. The economic harm is pretty easy to eliminate simply by adjusting the economics. i.e. You make the fine for putting profits above user data security so large that no CEO will put (typical) profits above user data. There's no need for prison sentences; that's just malicious victim-blaming because you're unable to find the thief. Remember, the CEO of the company holding your data isn't the one who stole your data - some hacker did. That's the true criminal. At worst, the company inadequately protected your data, or collected data that you may not have particularly wanted them to collect but you agreed to let them do it. Both are problems which are easily solved with economic disincentives. No need for prison.
The dynamic that's going on here is that in property theft, if the company that's holding property has it stolen, they're out the stolen property. That financial loss creates an incentive for them to adequately protect that property in proportion to its value. But in the case of data, the "stolen" data is merely copied by the thieves. The company is not out the data, and their ability to use it in whatever manner they previously were to generate revenue, is unaffected. The lack of that economic loss when they're hacked is what creates the entire problem. So the simplest solution is just adding an economic loss as a disincentive.
If you immediately jump to prison sentences, the only thing you're going to accomplish is making all these companies move their operations overseas, with all their executive officers located outside the U.S., and only keeping operational staff in the U.S. Your data will still be stolen just as it is now, because you didn't want to add an economic disincentive, and the companies found it easier just to move their executive officers out of the country rather than have them face prison time.
But if a bank gets robbed, and the bank's customers' money is stolen, we don't put the bank manager in jail, we put the robber in jail. A corporation that got breached is far more like a robbed bank than it is a pickpocket.
If she wants to change the law to call a corporation that fails to do its due diligence in protecting user data criminally negligent, that's fine. If she wants to take a company that was taking reasonable precautions but got breached anyway, and send the executives to prison for having been robbed, that's absurd.
As a victim of identity theft, I can personally attest that the credit agencies don't just view this as "not their problem", but actively see it as the victim's problem. When my identity was stolen, a credit card was opened in my name and only a stroke of luck made the card go to me. (The card was mailed out before the identity thief's address change was processed.) When I called the company (*cough*Capital One*cough*) about it, they not only told me they couldn't give me information ("because if you go and shoot these people, we're liable" - but you're not liable for opening accounts under my name?!!). They insisted that my wife likely opened the account - when my wife was right next to me freaking out over this. Finally, they refused to let the police speak with them. They told the police that they needed to call a special line. That line went right to voicemail and it was never answered. I've heard of other times where credit agencies like Experian harassed identity theft victims, telling them that the fraudulent accounts would remain on their credit report unless the victims produced massive amounts of proof.
Basically, these companies treat identity theft and data leaks as minor annoyances. Close the account if someone complains, write off the tiny losses, push the burden of proof onto the victims, and then go back to raking in tons of money. If any actual laws are going to be put in place to protect consumers, fight those laws tooth and nail. They never suffer any actual consequences - just look at Experian's data breach. Millions of people's personal information leaked and what penalties has Experian suffered? They settled a $22 million class action lawsuit, but they earned $5.2 billion last year. I don't think 0.4% of their income really hurts them much. If I was fined $300, it might sting slightly, but it wouldn't really hurt. Especially not if what I was fined for made me that much in 1.5 days.
There need to be actual consequences or things aren't going to get better.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.