The Data Accountability and Trust Act (DATA) 170
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
Long Overdue (Score:5, Insightful)
It's about time a law like this was enacted.
On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.
Re:Long Overdue (Score:1)
you can't legislate morality.
Re:Long Overdue (Score:2)
it's probably worth a try =p now define morality
Re:Long Overdue (Score:2, Funny)
How about naming the country USANUS - "the United States Are Not United States"?
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:1, Flamebait)
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:3, Insightful)
What? How? You can't just pretend those documents say something they don't. Well, you shouldn't.
We can't publish sensitive data from a major corporation on the Internet, or we would get sued.
What makes you think that?That being said, it should be implied, understood, and common practice to prevent big business from doing some of the things that they should be doing in the first place (privacy violations, overcharging, ba
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:4, Interesting)
But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:2)
Your state government sure can. The 2nd Amendment has never been applied to States -- only to the federal government. And you can contract away that right in consideration for a place to live. Just like you can sign an NDA and contract away part of your free speech in consideration for a job.
By the way, the Framers of the Constitution w
Re:Long Overdue (Score:3, Interesting)
If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.
Re:Long Overdue (Score:3, Interesting)
Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.
Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.
If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?
e.g.:
Eye Colour
Retina Pattern
A fingerprint
A fingerprint and the finger
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:4, Informative)
Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.
"Your information is unsafe" will become a new media theme, along with "kids shooting up schools", "female teachers sleeping with students" and "pretty white girl goes missing".
BTW - businesses cannot go around redefining "breach" or "personal information", because the bill defines exactly what those are.
If you read the text of the bill [loc.gov] they've dodged out on specifying some of the trickier parts by using language like "Not later than 270 days after the date of enactment of this Act" to require the definition of certain aspects of the bill. Very poor idea, as it gives the lobbyists something to aim at weakening.
It's sponsored by a Republican from Florida and co-sponsored by a stack of other R's. Good idea, possibly poor implementation.
Re:Long Overdue (Score:2)
GOOD!
You say that like it's a bad thing. People NEED to be aware of this.
Re:Long Overdue (Score:3, Insightful)
Don't worry, after a couple months it will become such a beaten dead horse, everyone will think "Oh, this stuff happens all the time. My chances of having my identity stolen are next to nil." And the notice gets tossed in the trash never to be worried about again.
Re:Long Overdue (Score:2)
Re:Long Overdue (Score:2)
Don't want to follow it? Don't incorporate.
Re:Long Overdue (Score:2)
Those damn Republicans, trying to protect your private data. What will they think of next?
Funny, in California this law already exists... (Score:2)
In California we have a law that requires notification of data privacy breaches. Remember Choicepoint being in the news? That was CA's 'fault.'
In California the law allows people to put a Credit Freeze on their account. Far stronger than a 'fraud alert,' this requires the person to temporarily lift the freeze in order to add new credit. Makes life most difficult for identity thieves. Also makes it harder for new companies (no pre-existing relationship) to offer credit, so the person misses out on
Re:Funny, in California this law already exists... (Score:2)
No it doesn't. California's law is stricter that this new act, and complying with DATA won't protect a company from being proscecuted for not complying with the CA act. Federal law only overrides state when the federal act is stricter.
As an example, let's take minimum wage laws. If Congress raises the federal minimum wage, everybody has to pay at least that much, even in states where the state minimum is lower. However, if you live in a state where the local
Re:Funny, in California this law already exists... (Score:2)
"The legislation also pre-exempts any state laws mandating breach disclosures to consumers. According the Consumers Union, 11 states currently have stricter notification standards than H.R. 3997, including a California law that has resulted in numerous consumer notifications over lost data tapes and database breaches."
If DATA isn
So how much is this going to cost? (Score:1)
Re:So how much is this going to cost? (Score:5, Insightful)
You work for ChoicePoint or something?
Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.
why the hell? natural cynicism! (Score:2)
It could be argued that Sarbanes Oxley and the raft of other regulation is overkill. You might argue that companies should have some damn sense of what's right and what isn't, without needing to be regulated down to the tiniest level.
Alternately you could
Re:why the hell? natural cynicism! (Score:2)
You could say the same thing about people, but I don't think it's out of place to say there should be laws against people killing, stealing, defrauding, etc.
Happy? No. Convinc
Re:why the hell? natural cynicism! (Score:2)
One great example with S/O is data retention. It makes sense to
Re:why the hell? natural cynicism! (Score:3, Insightful)
You mean there are people out there that actually trust, private companies?!!
Private companies are the most untrustworthy entities on planet earth. They exist for one reason and one reason only, making money by whatever means necessary. If your "trust" in them stands in the way, they'll gladly walk all over it. Nay, eagerly. At
Re:why the hell? natural cynicism! (Score:2)
Re:So how much is this going to cost? (Score:1)
Re:So how much is this going to cost? (Score:5, Insightful)
The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.
If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.
At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.
What do *we* get when *they* screw up? (Score:2)
Re:So how much is this going to cost? (Score:2)
Sorry, but no, I don't believe that.
There have been several cases in the past, mentioned here and elsewhere, of major leaks of personal data. Can you show me a single example where a leaker has compensated the affected individuals or taken significant steps to prevent a recurrence? Has any such offender suffered any significant damage to
Re:So how much is this going to cost? (Score:3, Interesting)
Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?
Re:You could destroy many more lives. (Score:2)
I think you misunderstand me. Consider your example:
In this case, 50,000 lives have been affected, possibly rather seriously, by the negligence of some or all of those 50 people. If
Re:So how much is this going to cost? (Score:2)
Tax payers pay for a lot more than that...
(speaking as a non-american looking at all those acts and bills)
CAN SPAM : Controlling the Assault of Non-Solicited Pornography And Marketing
... and I bet you have a lot more ...
DATA : Data Accountability and Trust Act
USA-PATRIOT : Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Som
well... (Score:2)
The gov (Score:2)
Oh, wait...
Re:The gov (Score:3, Interesting)
Across corporate America (Score:3, Insightful)
Re:Across corporate America (Score:2)
Social Security Number (Score:1)
Re:Social Security Number (Score:2)
wtf (Score:3)
FTC? (Score:2)
Re:FTC? (Score:1)
It won't pass. (Score:2)
Recursion (Score:1)
Exemption... (Score:5, Insightful)
Re:Exemption... (Score:2)
If they took reasonable care to encrypt their data effectively then I wouldn't object to that provision. However, if all they have to do is have their database engineers ROT13 all the names, this sounds like the gotcha where the new act actually improves things for businesses, as an earlier poster predicted.
Re:Exemption... (Score:3, Insightful)
Even if the encryption isn't lame or broken, it's still data out there on the loose. How long would it take to crack, given all the available informatio
Re:Exemption... (Score:2)
I think that what needs to happen is for someone to do a complete analysis of why having data hordes is dangerous - is it because it's inherently dangerous for someone to know too much about you or is it because anyone who appears to know too much about you is assumed to "be" you by money lenders, law enforcement, etc?
Re:Exemption... (Score:2)
The problem is encryption key management. Where do you store that AES key? Obfusacated in a binary? In your backup scripts using permissions to prevent unauthorized access?
I do best I can and use public-key encryption for encrypting backup data (OpenPGP), with the secret keys escrowed offline. But this doesn't work for "live" data that needs encryption. The secr
Re:Exemption... (Score:5, Informative)
It doesn't say that! Stop making stuff up.
The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.
Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.
Re:Exemption... (Score:2)
Re:Exemption... (Score:2)
Sorry, but that is pure FUD. WPA-PSK is not "abysmally weak". WEP is "abysmally weak". You cannot, in any reasonable length of time, brute force a WPA-PSK key of length any more than 8 characters, especially if they are numbers, capital letters, symbols etc. Heres a hint, go to this password generator [grc.com], get a key, and you are safe, despite using the ""abysmally weak" WPA-PSK. Do you want to brute-force that? Your 24 character limit is bogus. Try it yourself, make a WPA
Re:Exemption... (Score:2)
http://www.linuxjournal.com/article/8312 [linuxjournal.com]
From that article:
In November 2003, Robert Moskowitz, a senior technical director at ICSA Labs (part of TruSecure) released "Weakness in Passphrase Choice in WPA Interface". In this paper, Moskowitz described a straightforward formula that would reveal the passphrase by performing a dictionary attack against WPA-PSK networks. This weakness is based on the fact that the pairwise master key (PMK) is derived from the combin
From The Bill: (Score:4, Insightful)
Re: (Score:2)
Excellent (Score:2)
Less laptops flying coach with 20,000 credit card numbers in an excel spreadsheet on it. (My next door neighbor got a nice paper-mail note from an company that let a laptop get snatched just last week.)
What will be done to water this bill down? (Score:1)
1) amendments
2) exceptions (gov't, big business, telcos)
3) loopholes
4) unclear/incomplete definitions
5) enforcement (is the FCC the best choice?)
6) insert your scenario here
It sounds good, but the devil (as usual) is in the details.
Cyberwar Related (Score:2)
Definition is everything (Score:2, Insightful)
RECURSIVE? (Score:2)
Illegal wire-tapping? (Score:2)
Existing medical laws (Score:3, Interesting)
What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.
Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.
What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
Re:Existing medical laws (Score:2)
Why? Because of insurance. If this bill passed, insurance companies would just start offering up another service as soon as they figured out a risk forumla to calculate the price they're going to set.
Now... in the medical field, insurance is a big cost, but a 'small' (generally defined as less than 500 employees) business should have less to lose & so, less fees to pay for coverage.
Smaller business = smaller cost (Score:2)
Given that it can take up weeks or months to clear up your credit history and potentially costs thousands of dollars if someone uses your information to open fraudulent accounts, I don't think it's unreasonable to ask companies to send a letter when they fail in their legal obligation to prote
Re:Existing medical laws (Score:2)
I think that's the point of this kind of law. It hits both big and small organizations hard when they screw up. Provides some significant incentive to tighten up security policies. Just like your example, why the heck did someone leave backup tapes in a car unattended? Seems like they weren't taking their security very seriously.
Re:Existing medical laws (Score:2)
Any business that allows it backup tapes to be ferried around in the back of a car doesn't deserve to be in business.
Oh great (Score:2)
What's more scary for me... (Score:2, Insightful)
They suggested that I simply attach the
DATA Breach Timescape (Score:5, Funny)
Data turns to them.
DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.
They react. Data indicates the phishing email on the screen. They walk up to it...
DATA: It is the flashpoint of a privacy invasion. And it is expanding.
PICARD: Expanding... I thought phishing scams were suspended on this ship?
DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.
TROI:Why didn't we notice it before?
DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.
PICARD: Is there any way we can stop it?
DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.
Picard stares at the screen for a long moment...becoming very thoughtful...
PICARD: Astonishing... to see our identities stolen like this...
Coming soon to a workstation near you (Score:5, Funny)
We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:
[Click here to update your account]
If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.
Thank you for using PayPal (or whatever service is being spoofed)!
Time for the skepticism! (Score:2)
US Dept of Acronaming UDA (Score:4, Funny)
Encryption != Absolute Security (Score:2)
You still have to deal with "trusted user" abuse as well as protecting the API that allow normal decrypted access to the data.
Imagine being the systems/database admin who has to report a data loss to management.
Management will have a very hard time understanding that data
Secure Transactions (Score:3, Interesting)
And WHERE do they have to inform you? (Score:2, Insightful)
I'm not even concerned about the various loopholes and excemptions that this bill will most likely have (I have to admit, I did not read it. Nor is it worth the time reading it 'til it's passed for the simple reason that if it COULD present a benefit against spyware in software it WILL be changed). Even without loopholes it's po
Third Parties (Score:2)
A credit card validation service?
An outsourcing campany?
The consumer is not the "customer", especially in the second case.
Unconstitutional and Unnecessary (Score:2, Troll)
This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notif
Re:Unconstitutional and Unnecessary (Score:3, Informative)
That's nice in theory, but one of the reasons we have government regulation is to help mitigate the asymmetry of power that prevents individuals from ever negot
Re:Unconstitutional and Unnecessary (Score:3, Interesting)
I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.
Most of the acronyms you listed have their basis in previous
Re:Unconstitutional and Unnecessary (Score:2)
Re:Unconstitutional and Unnecessary (Score:2)
Wait a second. Why does a company require an express instruction not to sell my data, but can do as it pleases with my data without any approval implied or explicit?
Is it implied that if I do business with a company that every detail of our transaction is forever available for that company to; use, sell, tr
Re:Unconstitutional and Unnecessary (Score:2)
I don't see that as the case at all. There is no right to privacy if you openly put information out there. My father told me at a young age to never put anything in writing that I didn't want others to know and use against me. That is true with all my private information.
I don't bank. I don't have credit cards. I don't trade stocks. I am living 100% on a gold hard money [unanimocracy.com]
Re:Unconstitutional and Unnecessary (Score:2)
If the framers merely wanted to keep states from taxing, tariffing or embargoing interstate commerce, why did they just not say: "States shall not have the power to tax
Re:Unconstitutional and Unnecessary (Score:2)
"Regulate" had a different meaning? Really? Says who? I would like to see a source for that, because here is what I came up with from Findlaw:
On the commerce clause: "What is this power? It is the power to regulate; that is, to prescribe the rule by which commerce is to be governed. This power, like all others vested in congress, is complete in itself, may be exercised to its utmost extent, and acknowled
Bill would be unconstitutional (Score:2, Interesting)
The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.
Re:Bill would be unconstitutional (Score:2)
This is my main concern:
"If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of
Government Databases: BAD (Score:3, Insightful)
But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.
Now, given that:
With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!
Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier [schneier.com] has to say on that).
Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State [freestateproject.org].
Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
http://freestateblogs.net/node/306 [freestateblogs.net]
Re:Government Databases: BAD (Score:2)
That can't be right... (Score:2)
Clearly, the terrorists have kidnapped the real representatives and replaced them with pod people ! There's no other explanation for this.
Re:Recursive Acronym! (Score:4, Informative)
Re:Recursive Acronym! (Score:2)
DATA=DATA Accountability and Trust Act=DATA Accountability and Trust Act Accountability and Trust Act= DATA Accountability and Trust Act Accountability and Trust Act Accountability and Trust Act etc.
Re:Gee (Score:2)
Sorry, Mario, but our legal solution is in another castle!