Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Legislation Would Punish Mishandling of Private Data

Soulskill posted more than 2 years ago | from the forty-days-in-the-chamber-of-fire dept.

Government 187

An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"

cancel ×

187 comments

Credit agencies also! (1)

shipofgold (911683) | more than 2 years ago | (#37355302)

They also need a law that will ding the credit agencies when they get it wrong....

Oh, great .... now, instead of (4, Insightful)

Jerry (6400) | more than 2 years ago | (#37355318)

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

Re:Oh, great .... now, instead of (1)

blair1q (305137) | more than 2 years ago | (#37355408)

And you have a better rulemaking system?

Re:Oh, great .... now, instead of (3, Insightful)

edmanet (1790914) | more than 2 years ago | (#37355498)

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

Re:Oh, great .... now, instead of (2)

djdanlib (732853) | more than 2 years ago | (#37355560)

You'd REALLY like to think so. So would I. Unfortunately, all of history proves that your average (key word: average) customer is about as smart as a bag of rocks. All you need to do is give them a good sales pitch, and they don't even bother to read the fine print on the paper you hand them! It's really sad and one of the reasons I needed to get out of retail so long ago.

Re:Oh, great .... now, instead of (1)

trout007 (975317) | more than 2 years ago | (#37356798)

So let me get this straight. Most people are too dumb to make import decisions about things. But somehow they are smart enough to vote for people that are smart enough to be able to make rules that force them not to do things they would otherwise do? That doesn't make sense. If they are too dumb to make important decisions what particular magic happens in the voting booth that makes them able to figure out who to vote for?

Re:Oh, great .... now, instead of (1)

djdanlib (732853) | more than 2 years ago | (#37357086)

You're on the path to the uncomfortable realization that the vast majority of people don't care to be smart, because it's hard and doesn't immediately benefit them. Laziness trumps everything else.

On average, people aren't smart enough to vote for anyone who will lay down solid foundations. They're too lazy and/or selfish. Instead, it's a giant game of I'll-scratch-your-back-if-you-scratch-my-back based on the hot topics, like tax breaks and all that entertaining mud slinging. Poll around, see how much people know about the politicians they voted for. You'll be surprised. Did they get the bulk of their information from TV commercials and office talk around those? Yeah... they did. Did anyone look a their elected representatives' voting history? I bet not.

So occasionally someone smart DOES slip through the cracks, or someone in office has a really good idea, and then they put forth a smart bill that actually protects people. Or, some news article gets a lot of coverage somehow, and turns on the spotlight, and the politicians decide they'd better do something that looks good. And then they bicker over it, and add riders, and eventually kill the whole mess outright, thus preventing us from getting most of the laws that would have protected the average person from his average laziness. Sometimes something good does happen, like the Credit Card Reform Act, or the one for student loans. Those are statistical outliers, because people just don't care about each other or themselves enough to get un-lazy and learn about these people they are voting into office!

Re:Oh, great .... now, instead of (2)

eldepeche (854916) | more than 2 years ago | (#37355766)

So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

Re:Oh, great .... now, instead of (1)

poofmeisterp (650750) | more than 2 years ago | (#37356164)

So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

Who cares?

If you want to just act without thinking or analyzing, you're utilizing trust.

When you trust, you can be screwed over if you don't know who/what it is you're trusting.

Get smart or get..... fart. Ed. On. :)

Re:Oh, great .... now, instead of (1)

eldepeche (854916) | more than 2 years ago | (#37356334)

Without the government to sort out conflicts and enforce penalties, everyone has to trust the companies they do business with as well. You can do all the analysis in the world, people are still going to screw you over. The government can't be 100% effective, and neither can a customer. They can either invest huge amounts of time researching data retention policies (and eventually get burned anyway), or get repeatedly screwed over, or withdraw from the non-cash economy.

Of course, the main difference is that without government regulation, you have more people to insult for getting conned.

Re:Oh, great .... now, instead of (1, Insightful)

MightyMartian (840721) | more than 2 years ago | (#37356190)

You think that's bad, wait to you see a Libertarian apply the logic of that numb-nut poster to, say, medical doctors or engineering firms. I debated a guy on here a few weeks ago who was defending the idea that building code enforcement wasn't required, and people should be able to build however they like, and if their house falls down and damages the next door neighbor's property, the neighbor can always sue.

In short, Libertarians are fucking morons. Either that or sociopaths.

Re:Oh, great .... now, instead of (0)

Anonymous Coward | more than 2 years ago | (#37357046)

Why can't they be both?

Re:Oh, great .... now, instead of (3, Insightful)

uniquename72 (1169497) | more than 2 years ago | (#37356184)

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business ... More laws are not always the best answer.

Obvious problem: There's no impetus (without laws) for any company to ever tell you that they've lost your data. So your model fails completely.

Re:Oh, great .... now, instead of (1)

SomePgmr (2021234) | more than 2 years ago | (#37356400)

I really do want to agree with you, but I don't think that'd play out like that.

If they get hacked enough, they go out of business.

You'd think after months of regular hacks, service downtime, DoS'ing, compromised customer info published all over, a long history of screwing their customers, etc., Sony would've been a prime candidate for this. Instead they hired a token g-man and went on with business as usual.

Do the customers get hurt? Sure. They get smarter too.

Again, I wish they would... but that doesn't seem to be the case. When a customer weighs their privacy and financial security against being able to play call of duty... well, we know what they go with.

Re:Oh, great .... now, instead of (2)

webheaded (997188) | more than 2 years ago | (#37356852)

Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

I think the real point here is that I shouldn't have to keep getting screwed when I have absolutely no say in the matter. I don't KNOW what a company's internal security practices are like so how the hell am I going to be able to do anything about it? What you're saying is ridiculous. You can't know until it is too late and that doesn't seem to really convince anyone else but the company that was attacked to actually do something. So no, your "Darwin" system fails in my mind. I don't see that would ever work in the real world.

I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

Re:Oh, great .... now, instead of (1)

Entrope (68843) | more than 2 years ago | (#37355810)

Sure: A liability system. If a company leaks my private data due to insufficient care, let me sue them (either individually or as part of a class) to help restore the security of that data, or at least to compensate me for the loss. Instead of saying "thou shalt follow these rules", just say "thou shalt have effective controls", and let companies or industry groups figure out how to live up to the duty to protect private data.

Re:Oh, great .... now, instead of (1)

hrvatska (790627) | more than 2 years ago | (#37356560)

Who, specifically, would decide what constitutes the rules of insufficient care? Who are 'companies or industry groups'? Why can't consumers sue now? Who decides how much a breach is worth?

Re:Oh, great .... now, instead of (2)

Entrope (68843) | more than 2 years ago | (#37357110)

Courts would decide whether a data holder fulfilled a duty to protect data they hold, just like they decide (as necessary) whether people or groups fulfil fiduciary or other duties under other laws.

Companies are companies. Industry groups are what companies form when they have a common problem to solve, and working together to solve that problem is better than trying to solve it separately. (Courts might accept industry standards as sufficient care, or they might not. I would just expect companies to come together to try to figure out how to address security, because it would probably be acceptable under antitrust law and it lets them air out potential protection schemes.)

Consumers cannot sue right now because they have no property rights in this data, and they do not suffer harm when the data is lost -- they only suffer (actual) harm when the data is misused, and the company that loses the data is approximately never the entity that engages in identity theft.

Putting a dollar value on a breach the hardest part of the scheme, but somehow we put price tags on other intangibles (such as intentional infliction of mental distress). I expect there would be arguments back and forth over the valuations, but that those would be no worse -- and probably better -- than what we see for things like medical malpractice.

Money buys power. (2, Insightful)

rlglende (70123) | more than 2 years ago | (#37355888)

Who do you think is asking for the rules? The same stupid corporations who can't ever provide decent security, of course.

Before the rules are settled, companies will be immune to lawsuits from mere plebians who are injured by their screwups.

Money buys power, so you can be sure this will be included in any rules.

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

The market, which has a bad rep in the progressive mind relative to gov-imposed solutions, should be appreciated among Slashdot's technical audience, as it represents a scalable parallel search algorithm for solutions that bother customers.

Fortunately, we can depend on basic system dynamics to assure us there will be an end to all of this : Power has a strong, inherent positive feedback --> the more power you have, the easier it is to get more. Un-restrained positive feedback systems always destroy the system.

Re:Money buys power. (1)

rlglende (70123) | more than 2 years ago | (#37355910)

The FDA is NOW responsible etc.

Re:Money buys power. (1)

eldepeche (854916) | more than 2 years ago | (#37356070)

Since the FDA is responsible for approving drugs for sale in the US, they are responsible if people die of treatable diseases elsewhere.

Therefore, we shouldn't worry about companies storing their customers' personal information unencrypted on a laptop they leave in their car in plain sight, because the market.

Re:Money buys power. (1)

rlglende (70123) | more than 2 years ago | (#37356632)

And these statements relate to 'money buys power', and the consequences thereof, how?

The US's drug industry develops more than half of the drugs in the world. The first thing they tell you in a drug development course is that no drug can be considered unless it has a $2B/year market because it takes $500M - $1B to get a drug to market, averaged over all of the efforts.

Thus, a very low rate of new drug development despite the rapid decrease in the costs (10 cents / drug, 10 years ago when last I looked at this) and increase in speed of screening drugs against targets. Thus, 'orphan drugs' for diseases that do not have that large a market. Thus the problem that bacteria are evolving faster than new broad-spectrum antibiotics can be developed. Thus the extremely high prices for drugs. Thus the 1000 drugs that European MDs can use, but not US MDs.

Currently, if a mere peon can show that he has been damaged by a security breach, that mere peon can sue, tho there is a high hurdle in connecting damages to the breach. After these regulations, that mere peon will not be able to sue unless he can show both the connection to his damages and that the company did not follow the rules, a much bigger problem. The lobbyists will ensure this, attempt to limit class actions, ...

This is how most of the regulatory bodies work : company follows agency rules, is immune to lawsuits.

It is universal that regulators become incestuous with regulatees, that regulations limit competition, work for the regulatees. Money buys power.

I note that nobody has accepted the challenge of providing an example of a set of regulations that work.

Re:Money buys power. (1)

poofmeisterp (650750) | more than 2 years ago | (#37356194)

Who do you think is asking for the rules?...

Probably someone (Senator Richard Blumenthal) who got screwed over. Now, instead of "caring" and "listening to the concerns" of those involved, he will actually act.

Just a hunch here... Just a hunch.

Re:Money buys power. (2)

rlglende (70123) | more than 2 years ago | (#37356380)

Most legislation begins as a method of soliciting campaign donations.

In any case, how does this disprove "money buys power" and the consequences thereof?

The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

Re:Money buys power. (1)

poofmeisterp (650750) | more than 2 years ago | (#37356532)

Most legislation begins as a method of soliciting campaign donations.

You are so correct on that one, my friend. I concede, completely.

The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

I understand you here and my mind agrees from every angle, but I'm not sure how you got on it. What did I miss?

Re:Money buys power. (4, Insightful)

TubeSteak (669689) | more than 2 years ago | (#37356490)

Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

What a logical clusterfuck.
Regulations NEVER work?
Is your drinking water clean? Is there lead in your paint? Is melamine used as a filler in your food products?
Did you have to work 12 hour days in an unsafe factory starting at the age of 8?

Your question is just another version of "What have the Romans ever done for us?" [youtube.com]
The answer is "a lot" and whoever modded you up should be ashamed of themselves.

Re:Money buys power. (1)

trout007 (975317) | more than 2 years ago | (#37356902)

If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope. You drinking water is only clean enough to pass regulations. But many people aren't satisfied by this hence the market for water filters. So it's pretty obvious there are companies out there trying to provide products that people want because the regulations aren't doing it,

Lead was used in paint for a very long time. Only when it was shown to cause problems did people want it out of their paint. Sure a regulation was assed but the market wasn't there for it anymore anyway.

Do you really think parents were mean and cruel 100 years ago when they had their kids work in factories? Before the industrial revolution kids worked in the field just to feed the family and many died at early ages as a result. Factories even dangerous ones were a step up. Only when productivity rose to the point where most people could just survive on the parents income did it even enter people's mind that kids shouldn't work. The regulations just followed that natural progression.

Re:Money buys power. (1)

PoopCat (2218334) | more than 2 years ago | (#37357098)

If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope.

One word: cigarettes.

Re:Money buys power. (0)

Anonymous Coward | more than 2 years ago | (#37356684)

Name a set of regulations that work.

Glass-Steagall. Part of it was repealed in 1980 which was followed by massive bank failures, the rest was repealed in 1999, when the banks rode the bubble for almost 10 years before massive bank failures.

FDA - Your food is a lot safer now than it was before the FDA.

Building codes - I'm pretty sure anywhere earthquake prone is glad for these.
Water. Safety. Road building. Engineering. Doctors. Lawyers. All have regulations that work.

There are hundreds of other examples - look around.

Provide an economic evaluation of their consequences vs 'market solutions'.

I'm not your student, why should I do homework for you? You're the one making the ridiculous claim ("regulations NEVER work"), you're the one who needs proof.

Re:Oh, great .... now, instead of (1)

mr1911 (1942298) | more than 2 years ago | (#37355442)

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent, evil intent group of people on the planet?

FTFY

Re:Oh, great .... now, instead of (2)

eldepeche (854916) | more than 2 years ago | (#37355638)

FTFY

By making it grammatically incorrect?

Re:Oh, great .... now, instead of (1)

poofmeisterp (650750) | more than 2 years ago | (#37356250)

FTFY

By making it grammatically incorrect?

They dun americanizdeded it tthat makes it gramarticalicly kerrect!

HUMOR, HUMOR.

Re:Oh, great .... now, instead of (1)

mr1911 (1942298) | more than 2 years ago | (#37356770)

That was a special present for the grammar patrol.

Your welcome!

(Poor grammar is the gift that keeps on giving.)

Re:Oh, great .... now, instead of (1)

chuckinator (2409512) | more than 2 years ago | (#37355482)

Selling to the government already requires companies to make their products conform to the FIPS 140 and Common Criteria for Information Technology Security Evaluation, and these are very sane standards for network security and handling of sensitive user information. I suspect that they're going to use these already existing NIST standards as a reference for their rules. It'd help if you had more salient information to dispute the competence of government in this specific subject matter domains than the "government BAD" knee jerk reaction.

Re:Oh, great .... now, instead of (2)

Mad Merlin (837387) | more than 2 years ago | (#37355652)

Maybe this will provide disincentive to companies that simply snarf up all possible personal data because they can (I'm looking at you, Facebook). This is by far one of the most annoying trends as of late. That's why Game! [wittyrpg.com] doesn't ask for any personal information (because it doesn't need it) and makes email optional (if you want to be able to recover your account). Perhaps others will follow suit...

Re:Oh, great .... now, instead of (1)

Overzeetop (214511) | more than 2 years ago | (#37355792)

The law will likely make no distinction in the kind of information - once they have your name, they will have to comply. And, hell, if they have to comply they may as well get as much as possible so they can sell it.

Re:Oh, great .... now, instead of (0)

Anonymous Coward | more than 2 years ago | (#37355842)

insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

Damn, I must have missed that memo announcing the death of democracy.

Re:Oh, great .... now, instead of (1)

interval1066 (668936) | more than 2 years ago | (#37355956)

Uh... better than nothing at all?

Re:Oh, great .... now, instead of (0)

Anonymous Coward | more than 2 years ago | (#37356716)

actually, all Congress would need to do would be to allow any entity where the data breach involves people outside of the entity's state (for single-state companies only doing business with other people in that state, they should sue in state court) that let this happen to be sued in Federal Court for tort damages, as it regards interstate business transactions.

This'll go far. (1)

Anonymous Coward | more than 2 years ago | (#37355354)

Another set of guidelines. As long as the financial backers of the legislators can water it down enough, all they have to do is follow them and they can't be sued for exposing private data.

If they can't be watered down enough, nothing will happen.

Re:This'll go far. (1)

blair1q (305137) | more than 2 years ago | (#37355428)

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Re:This'll go far. (1)

mewsenews (251487) | more than 2 years ago | (#37355642)

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Quite right. This is the exact reason I pipe my customer's information to /dev/null

Re:This'll go far. (1)

poofmeisterp (650750) | more than 2 years ago | (#37356276)

If one of the guidelines is "No data shall be allowed to escape the system," then that's good enough.

Quite right. This is the exact reason I pipe my customer's information to /dev/null

Where does your profit come from if you /dev/nullified all of the data?? :>

Re:This'll go far. (0)

Anonymous Coward | more than 2 years ago | (#37355500)

We work with financial data and PII on a regular basis. These regulations are very real and taken seriously. We have to rip and replace our SAN with hardware that supports encryption at rest. It does not matter that the data is encrypted in transport and that the application that exposes the data is secured with two factor authentication, and access is limited to specific list of IP addresses. It is not good enough that all of the data stored in SQL is encrypted in the database. We also have to encrypt the rest of the data at rest on the SAN. You know, in case someone breaks into the SAS70 certified data center, makes it to our cage and some how manages to get out of there with the 1000+ pound SAN.

are new laws worth complaining about? (1)

MichaelKristopeit417 (2018862) | more than 2 years ago | (#37355386)

slashdot = stagnated

Re:are new laws worth complaining about? (1)

mr1911 (1942298) | more than 2 years ago | (#37355504)

Try harder Mike. Even Dr. Bob is entertaining.

Re:are new laws worth complaining about? (1)

MichaelKristopeit419 (2018878) | more than 2 years ago | (#37355596)

cower in my shadow some more behind your chosen masculinity based pseudonym, feeb.

you're completely pathetic.

Specific guidelines? (0)

Anonymous Coward | more than 2 years ago | (#37355400)

Something tells me the net result will be a weak set of (designed-by-heavily-lobbied-committee) guidelines that exempts anyone who follows them from any legal action if those guidelines turn out to be not enough.

Suspect (1)

skelly33 (891182) | more than 2 years ago | (#37355434)

The article mentions that they would have very specific requirements for the method by which data is protected. Not having seen the specifics, if they get too specific, I would be rather suspicious of the law becoming a barrier to future improvements - what they think of today as being "the right way" to do it doesn't mean it's the ONLY way and could end up being prohibitive based on the architecture of the system in question. I'm just sayin...

Re:Suspect (1)

n5vb (587569) | more than 2 years ago | (#37355658)

Agreed. Legislators in general tend to suck pretty badly at writing law, and an order of magnitude worse at writing code. Even when it doesn't involve crypto or IT security.

(They weren't elected for their ability to apply reasoning to problems, after all. They were elected for being handsome/pretty and/or popular and willing to accept huge campaign contributions from the interests they're at least theoretically supposed to regulate. These attributes are not known to correlate strongly with strong reasoning skills.)

Re:Suspect (2)

TubeSteak (669689) | more than 2 years ago | (#37356048)

Personal Data Protection and Breach Accountability Act of 2011 [govtrack.us]

SEC. 303. ENFORCEMENT.

(a) Civil Penalties-

(1) IN GENERAL- Any business entity that violates the provisions of sections 301 or 302 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation.

(2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 301 or 302 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation.

"Stiff" penalties my ass.

SEC. 312. EXEMPTIONS.

(b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 311, if--

(1) a risk assessment concludes that--

(A) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the encryption of such information establishing a presumption that no significant risk exists; or

(B) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the rendering of such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, establishing a presumption that no significant risk exists;

Motherfuckers. Breaches of security are just as relevant to the public as loss of data.
My suspicion is that by the time this comes out of committee and works its way to Congress,
it'll be so watered down that private businesses will be clamouring for it to be passed.

Re:Suspect (1)

TubeSteak (669689) | more than 2 years ago | (#37356108)

And this is an associated piece of legislation:
Data Breach Notification Act of 2011 [govtrack.us]
It uses a lot of the same language, but has different dollar penalties attached to breaches.
I haven't really given it a good read-through, but it seems to provide the caps on damages like the other bill

Re:Suspect (1)

mcl630 (1839996) | more than 2 years ago | (#37357040)

Yes... The best security today will likely be crap security 10 years from now.

Technology at the Speed of Government (0)

Anonymous Coward | more than 2 years ago | (#37355452)

Because government agencies are always up to date on their cryptology.

The man (0)

Anonymous Coward | more than 2 years ago | (#37355460)

And when the government is said mishandler... does this mean tax refunds?

Another supid piece of legislation.

Re:The man (1)

stretch0611 (603238) | more than 2 years ago | (#37355876)

And when the government is said mishandler... does this mean tax refunds?

Yes, but the money will be sent to the person that just stole your social security number.

Re:The man (1)

poofmeisterp (650750) | more than 2 years ago | (#37356318)

And when the government is said mishandler... does this mean tax refunds?

Yes, but the money will be sent to the person that just stole your social security number.

I smell fire or something.... What is that?

BUUUURN! Nice one. :)

A far better policy (3, Interesting)

cowwoc2001 (976892) | more than 2 years ago | (#37355462)

A far better policy would be to require companies to disclose any time their servers are hacked, whether private user data is stolen or not. That would go a long way towards tieing server security to a company's bottom line.

Mandating specific guidelines is a bad idea because the government has no clue when it comes to good security and even if they did guidelines change over time.

Re:A far better policy (3, Interesting)

Stormthirst (66538) | more than 2 years ago | (#37355602)

Perhaps even mandated compensation paid to the person whose data was lost, depending on what was lost. If it were 'merely' your name and address then that's $5,000. If your telephone number too, then $7,500. If it includes your social security number, then $50,000. Biometrics? $100,000 etc etc etc. If the person concerned can prove that their identity was used in the commissioning of a crime - triple the compensation.

See how quickly companies tighten their security.

Band Aid (0)

Anonymous Coward | more than 2 years ago | (#37355486)

Laws like this are just like putting a band-aid on a gaping gunshot wound. By the time all the lobbyists for any impacted industries are finished carving out exceptions and loopholes to make sure their clients aren't negatively affected, the law won't protect much of anything. In fact, this fed law will effectively neuter any of the more restrictive state laws that cover privacy data handling. What this country really needs is constitutional amendment to bring the US in line with other nations like Brazil that have enshrined the right to privacy in their constitutions.

Re:Band Aid (2)

kenh (9056) | more than 2 years ago | (#37355776)

"What this country really needs is constitutional amendment to bring the US in line with other nations like Brazil that have enshrined the right to privacy in their constitutions"

Privacy is enshrined in our Constitution as well, take a look... Lotta good that does us!

Re:Band Aid (1)

mark-t (151149) | more than 2 years ago | (#37355960)

Not generally speaking. It might possibly be inferred by certain amendments, but the inference is far from conclusive.

Re:Band Aid (1)

edraven (45764) | more than 2 years ago | (#37356074)

If you can post the section of the US Constitution that specifically addresses the right to privacy, I think that would be educational for all of us here.

Re:Band Aid (1)

sconeu (64226) | more than 2 years ago | (#37356472)

The Ninth Amendment [usconstitution.net] .

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Translation: "Even though we didn't explicitly mention Right 'X', you've still got it."

Also the Tenth:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Translation: "If it ain't in here, the Feds can't do it."

Re:Band Aid (0)

Anonymous Coward | more than 2 years ago | (#37356872)

Awesome, so you're saying the US Constitution also explicitly guarantees me the inalienable rights to retire a multi-billionaire at the age of 40, teleport at will, and turn invisible. I'ma go right out and exercise my constitutional rights.

Re:Band Aid (0)

Anonymous Coward | more than 2 years ago | (#37356102)

No, privacy is implied by certain amendments in the Bill of Rights, the Preamble (secure the Blessings of Liberty) and stare decisis. It falls under the "penumbra"of the constitution without being explicitly mentioned.

Google? (0)

Anonymous Coward | more than 2 years ago | (#37355576)

So, what about Google? Are they going to be fined for not keeping my personal info protected? What? You dont know that your gmail is not protected at all? Just look at all the AD companies that are using your personal info.......

Re:Google? (1)

jnpcl (1929302) | more than 2 years ago | (#37356212)

Troll much?

Google is the only Ad company that gets your personal information from Google.

Perhaps you're confusing them with Facebook?

This is a dumbed-down version of HIPPA (1)

swan5566 (1771176) | more than 2 years ago | (#37355624)

Companies that deal with people's medical information already have to follow a (much) stricter regulation - ones that can potentially carry criminal sentences. And even stricter still are companies that carry classified information.

Use "certified" firms or be arrested (3, Insightful)

Kohath (38547) | more than 2 years ago | (#37355682)

These types of government regulations always turn out like this:

- Businesses are forced to use "certified" firms as contractors or auditors
- "Certified" firms are politically-connected firms with Washington lobbyists on their payroll
- Government agencies get created to police whatever is regulated in the law
- "Certified" firms work with the agencies to make sure certification is exclusive so they can charge above-market rates (rent seeking)
- Executives at "certified" firms contribute to Richard Blumenthal's re-election campaign.
- Small startup firms are kept out
- Innocent business operators are raided by regulating agencies, even though they never had a security breach.
- Security breaches and private data compromises continue despite government regulation
- There are fewer jobs for everyone handling private data, and there are fewer choices of services.
- Everyone wonders why we have high unemployment and private data breaches.
- People propose deregulating so we can have our freedom back.
- Someone comes up with the private-data equivalent of "think of the children!!!!"

- Time passes. Another hundred such regulatory regimes get added for every facet of life. Life steadily gets worse for everyone who isn't politically connected.

Re:Use "certified" firms or be arrested (0)

interval1066 (668936) | more than 2 years ago | (#37355980)

Yes, I think that's exactly how it works...

Re:Use "certified" firms or be arrested (1)

DNS-and-BIND (461968) | more than 2 years ago | (#37355990)

Fuck you, teabagger. Less government is NEVER the solution.

Re:Use "certified" firms or be arrested (0)

Anonymous Coward | more than 2 years ago | (#37356154)

After taking a breath I realized you were being sarcastic...it's a sad statement about modern politics, that your response sounds real.

Re:Use "certified" firms or be arrested (0)

Anonymous Coward | more than 2 years ago | (#37356312)

Such infallible logic. You must be a member of this new generation of 'progressives' that doesn't have an actual clue how to actually argue or debate an issue and can't stand it when something that isn't leftist/statist gets through the echo chamber they carefully cultivate. Kindly step away from the keyboard, please.

What I find funny is that one of Marx's critiques of capitalism is exactly this - it eventually becomes 'State Capitalism'. I'm sure in the fantasy land of your mind, every government regulation has some kind of obvious and immediate gain for 'the people', as long as it was written by a democrat. Since corporations are people now too, maybe you're right, it's just not that it's for 'the people' as much as it is for 'specific, very rich people'.

Regulation is a tool. Tools can be used incorrectly. An example of this is how your perfectly innocent keyboard was used to type the vitriolic absolute nonsense I'm responding to.

Re:Use "certified" firms or be arrested (1)

netwarerip (2221204) | more than 2 years ago | (#37356022)

The GLBA ( http://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act [wikipedia.org] ) is this type of gov't regulation and has none of the issues that you have brought up, with the exception of the gov't agency that is required to police (audit) companies bound by it. But the GLBA didn't create those agencies, just granted them a standard set of rules and the power to enforce them. If anything it has created more jobs, rather then reducing them. Granted, many of the jobs are filled by auditors, and imo there are few lower lifeforms on the planet, but they still fill jobs. The issue with it is that when there are auditors there are bound to be varied interpretations of the law, and the standard bias that goes along with it. I went thru 3-4 audits a year at 3 different community banks over a 10 year span and no 2 audits were alike. What the Feds wanted the State didn't care about. What the OCC wanted the FDIC disagreed with. One group had me remove overhead sprinklers from the 'data center' and the next group wrote me up for not having fire suppression in the data center. The standard requires 'encryption' but I didn't have a single bit of customer info encrypted until the last year at the last bank. I did, however, get written up for not having a written log to track the changing of smoke detector batteries.

Not about protecting data, it's about protecting c (1)

kenh (9056) | more than 2 years ago | (#37355720)

Data will leak, period. You can work really, really hard to make sure it doesn't, but eventually it will leak.

Increased security only makes it harder, not impossible, and when the data does leak, the companies will be immune from prosecution, since they did everything they were required to do.

Stiff fines my ass... (4, Interesting)

Overzeetop (214511) | more than 2 years ago | (#37355756)

Put the corporate officers in jail - make the minimum sentence mandatory. It needn't be long. Hold people in power responsible and you'll see action.

Business will make a value judgment based on the cost - $5,000,000 potential fine or $300,000 in IT changes means it happens. $5,000,000 fine or $3,000,000 in IT changes and all of a sudden it's not so clear cut. CEO and CIO guaranteed to get 6 months to 5 years in a federal pen for non-compliance and that IT change could cost $30,000,000 and it would be item number one on every single board meeting agenda until the transition is complete.

Re:Stiff fines my ass... (1)

Kohath (38547) | more than 2 years ago | (#37356720)

So any low level employee with access to data can "accidentally" cause a security breach and get the executives put in prison. Justice!

Re:Stiff fines my ass... (1)

ortholattice (175065) | more than 2 years ago | (#37356842)

What I think needs to happen is for fines to be based on a percent of income or assets rather than a fixed dollar amount. (I think some countries do this for speeding fines). Only then will it a proper disincentive for wealthy people, as opposed to just being a minor inconvenience as a "cost of doing business". In fact, make the percentage "progressive", like income tax, so the wealthier you are, the higher the percentage: fining a a poor person 50% of their assets would cause them hardship, whereas fining a billionaire 50% of their assets would hardly affect their lifestyle at all. I think the prospect of a billionaire losing 98% of their assets (and being left with "only" 20 million) would be a far greater deterrent than spending 6 months in a country-club prison.

Re:Stiff fines my ass... (0)

Anonymous Coward | more than 2 years ago | (#37356918)

You and I know full well there won't be any Board members serving a minute of time. Like every other industry to date, it is seldom the 'decision makers' who are held responsible. It is the peons at the bottom doing that actual work that get the jail time, hard and heavy. You really think IT security is going to be any different? There is the whole, 'we run your services and can access your email' aspect of the equation, but all things being equal, lowest man on the totem pole is gonna get thrown under the bus.

Legislating that ONLY Board members can be held responsible, since they're responsible for decisions being implemented... now that has a nice sound to it.

In reality, following the trail for a breach and assigning blame is a slippery slope. I can't imagine, with coming legislation like this, those Corporate environments are going to get any easier to work for.

Personally, I work for the state, and we have our own hellish checklist to manage. Thankfully though, I don't deal with too much personal information.

Which one costs more? (3, Insightful)

Kozz (7764) | more than 2 years ago | (#37355812)

Unless the "stiff fines" cost the company even more than the implementation of storage guidelines, why would they bother? When laws against corporations hit only their pocketbooks (say the cost of a few weeks' worth of hookers and blow for the CEO), they frequently don't have any teeth.

Re:Which one costs more? (1)

stretch0611 (603238) | more than 2 years ago | (#37356030)

In addition, They will need to hold companies accountable when their offshore data center gets breached.

Without this I see all the giant US companies saying that they are not responsible because the outsourcing firm did not store your data properly. And sorry, but the outsourcing firm is not a US entity and not subject to US law.

Re:Which one costs more? (1)

MightyMartian (840721) | more than 2 years ago | (#37356220)

Perhaps they should add "And the CIO will be ass-raped for the rest of his days..."

Companies you do business with? (1)

black soap (2201626) | more than 2 years ago | (#37355970)

Does this only apply to companies that you do business/interact with, or will this apply to all the companies that keep data about you, including your social security number, for sale to anyone? Are those data-mining companies affected at all?

news flash: Sony is not a US company (0)

Anonymous Coward | more than 2 years ago | (#37356090)

Why is it that Americans always think it's OK to force their laws on everybody else?

what about the government? (1)

Charliemopps (1157495) | more than 2 years ago | (#37356114)

What happens when the feds violate these rules? Nothing? That's what I figured.

I'd much rather have my banking info stolen by Russian mobsters than by the NSA. One will, at most, clean out the account. The other rendition me to the middle of Africa because I bought the wrong kind of rug in the duty free shop while on layover in Istanbul.

We all know (1)

shoehornjob (1632387) | more than 2 years ago | (#37356138)

that corporate interests will find some way to either defeat the proposed bill or change the punishment to a slap on the wrist. I'm guessing that someone hasn't paid this guy off recently and he's getting bitchy about it.

How Many Are Preventable? (1)

Zamphatta (1760346) | more than 2 years ago | (#37356196)

Just from a server admin's POV, 98% is preventable. That's taking into account that a hardware or software bug that is out of the admin's control, becomes a crazy zero day flaw. I could teach my grandma to secure a server so it never has data breaches. It's really not that hard.... (1) Always install the patches. SONY didn't patch, DigiNotar didn't patch, etc. (2) Always encrypt the user's password in the DB field. SONY stored them in plaintext! (3) Admin password should never be the default one. (4) Don't use Windows. Use Linux, *BSD, or something else with a good solid reputation of great security (and for a lot less money too!). ........just following those four concepts, will give you great start on security even if you don't know what you're doing. Most /.er's already know all that, but hey, somebody's gotta spell it out for the newbies.

Great idea, but... (1)

Xenkar (580240) | more than 2 years ago | (#37356234)

I think it would be better if we just made it so that lenders themselves are liable for any bank fraud that gets through due to insufficient identity verification.

Identity theft doesn't exist. Instead banks are being robbed and they are making victims out of their customers.

If a person notices that some bank let somebody else open up a line of credit in said person's name, said person just needs to say "I did not open this line of credit." It would then be up to the bank to prove otherwise. The bank should also be liable to damages to a person's credit rating if the banks ruins it because of their lapse of judgment.

This bill may be partially good, partially bad (0)

MobyDisk (75490) | more than 2 years ago | (#37356338)

We haven't seen the bill, so it is a bit early to tell. However, it sounds to me to be half-good and half-bad:

From the article:

The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches

Punishing entities for crimes is good, and within the purview of government. But I am not sure the government can do a good job of telling them how to secure their data.

These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly

The real problem with telling them *how* to do it is that when they do those things, but still get hacked, they can that they followed the regulations so they are innocent. This happens in other highly-regulated fields, and it does make sense to some degree. But this is a field that changes rapidly and is very technical. They can say that the data must be "encrypted" but that is too vague. Or they can say "encrypted with 1024 bit encryption" which is still vague, and does no good in 2 years when every smart phone can break that encryption. On top of it all, you create yet another government regulatory agency.

Ultimately, I am excited about this bill since I have been clamoring for something like this for many years.

Sloppy lawyer bait. (0)

Anonymous Coward | more than 2 years ago | (#37356410)

I took some time to read through the text of the bill at opencongress.org. I'm not a lawyer, but the bill looks sloppy. It makes definitions that aren't actually used (maybe this is for the benefit of modify other legislation?). The bill sets up a commission to perform audits of private systems without nailing down what are the requirements for due diligence.

As a DBA with an interest in security, I'm not so sure that this is going to be worth the effort. Most thefts of personal information that I've read into came in as authenticated users which would bypass file and transmission encryption anyway. The notification parts of the bill are probably a good idea, but there was an article today about Stanford Hospital that had an open leak for a year. Would people be prosecuted or be held liable in that scenario? Should they be? Should the vendors? The people causing these losses aren't even addressed in this legislation as far as I can see. That's the really bad part.

I believe that this bill is only providing employment to trial lawyers.

Make the Fines Meaningful (1)

Jerrry (43027) | more than 2 years ago | (#37356426)

The problem with legislation of this sort is that the fines imposed are ludicrously small compared to the revenue of the companies being fined.

If I were fined for, say, exceeding the speed limit at the same ratio to my income as most fines imposed on companies, then the fine would be something like $0.05. Hardly a disincentive at all.

Looks like a nice win for big government (0)

Anonymous Coward | more than 2 years ago | (#37356564)

Brief Summary:
1) Create another new Federal Agency (Privacy Policy Office) because none of the existing 100,00+ federal agencies can handle writing the new regulations.
2) The F.T.C gets the authority to enface the regulations; that is, the F.T.C. will now have some authority over internet actives.
3) Government agencies will be exempt from the new regulations.

Looks like a nice win for big government.

Everything I do is Performance Art (0)

Anonymous Coward | more than 2 years ago | (#37356666)

rights to redistribute are not granted

Bull (0)

Anonymous Coward | more than 2 years ago | (#37356734)

Let me see if I understand this. A company gets hacked and my personal information is not stored encrypted, so it ends up costing ME money, so that company gets fined where they end up paying money to the Government?

What's wrong with this picture?

Sounds more like a free pass for sloppy security (1)

SirGarlon (845873) | more than 2 years ago | (#37356752)

So let me get this straight: if the company fails to meet the guidelines, and the data leaks, consumers can sue. Can't they already? I fail to see how the consumer gains anything from this. And as others have pointed out, if a company does meet these proposed federal guidelines, and the data still leaks, it sounds like they'd be indemnified.

All I see coming out of this is another costly, compliance-oriented set of regulations that place a burden on companies and at the same time deny citizens their right to hold data stewards accountable through the courts. Sounds like a lose-lose to me.

A compliance-based checklist, "thou shalt do X" has all sorts of problems that basically boil down to putting incentives on bad security. Frankly I think mandatory disclosure of data breaches is more effective, because that way the company is held accountable no matter how the breach occurred.

More Work For Everyone Who Works for a Company (0)

Anonymous Coward | more than 2 years ago | (#37356774)

When the company I work for was recently acquired by a publicly traded company, I spent a few minutes connecting to my e-mail account on my phone, and about ten minutes later I removed it. Why? Because the e-mail account required me to use a locking pin number. Which locks every 5 minutes. Why? Apparently because of some federal rule or law for protecting private information in corporate e-mail. Thing is I have no private information in my e-mail account, I write desktop software. All I have in my e-mail account is bug reports and pleadings from my manager to meet deadlines. There is literally nothing in my e-mail I wouldn't relay to you if you asked. Thankfully, it's my phone so I can take it off, but now my manager never knows when I might read my e-mail on my desktop machine.

So you guys can cheerlead some grandstanding politician sticking it to the man, when all you are doing is filling the world with ridiculous butt covering procedures which make the working guy's life just a little less flexible.

While we're at it... (0)

Anonymous Coward | more than 2 years ago | (#37356854)

...why don't we ban the use of SSNs for anything other than as a personal UUID for government programs? Why don't we ban the sort of data sharing and selling that lets "credit scores" exist? Why don't we charge CEOs who refuse to pay for adequate security with conspiracy to commit fraud and identity theft? Seriously, let's not pussy out here.

Data Retention Laws (1)

CrimsonAvenger (580665) | more than 2 years ago | (#37356948)

Is this going to turn out to be like the data retention laws, which managed to metamorphose into rules mandating destruction of data?

Someone high up the ladder (0)

Anonymous Coward | more than 2 years ago | (#37357108)

-must have had their data compromised or their daughter's or son's.. The mishandling of consumer data has going on for years. This is a joke.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...