Forgot your password?
typodupeerror

The Data Accountability and Trust Act (DATA) 170

Posted by Zonk
from the not-a-terrible-idea-for-once dept.
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
This discussion has been archived. No new comments can be posted.

The Data Accountability and Trust Act (DATA)

Comments Filter:
  • Long Overdue (Score:5, Insightful)

    by TripMaster Monkey (862126) * on Tuesday April 04, 2006 @09:55AM (#15057399)

    It's about time a law like this was enacted.

    On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.
    • I agree wholeheartedly. This is the sort of thing that can and should have legislation attached to it, something that will (if enforced) actually benefit its citizens. Legal overhead is going to increase, but I guess that is the price we pay for increased legal traffic. Now if only there were some realistic decline in petty lawsuits...

      you can't legislate morality.

    • It should be implied as interpreted through our Constitution, and amendments, etc. We can't publish sensitive data from a major corporation on the Internet, or we would get sued. It should be easier for class-actions to occur -- what I mean to say, is that it should be the job of the FTC to ensure the validity of businesses, and make sure they aren't raping the populace. That being said, it should be implied, understood, and common practice to prevent big business from doing some of the things that they sho
      • Re:Long Overdue (Score:1, Flamebait)

        by fbjon (692006)
        It's "spam", not "SPAM". They're not the same thing.
        • How is this flamebait? The trademark holders have specifically requested that spam be referred to in lowercase characters to differentiate it from SPAM(R), the spiced ham food product. The parent is correct.
      • Re:Long Overdue (Score:3, Insightful)

        by amliebsch (724858)
        It should be implied as interpreted through our Constitution, and amendments, etc.

        What? How? You can't just pretend those documents say something they don't. Well, you shouldn't.

        We can't publish sensitive data from a major corporation on the Internet, or we would get sued.

        What makes you think that?That being said, it should be implied, understood, and common practice to prevent big business from doing some of the things that they should be doing in the first place (privacy violations, overcharging, ba

        • No, seriously, and a good question. Like the GP posted, there shouldn't be more laws, but less. Our government should be a small shop, not the country's largest employer. The same law that prevents me from spying on my neighbor, and collecting information about him, should protect me from privacy abuses from major corporations (times the number of people they do this to). We don't need a special law to prevent this, it should already be in-place. The problem, as I see it, is that it is not enforced, because
          • Re:Long Overdue (Score:4, Interesting)

            by amliebsch (724858) on Tuesday April 04, 2006 @11:03AM (#15058072) Journal
            The same law that prevents me from spying on my neighbor, and collecting information about him

            But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?

        • You can't just pretend those documents say something they don't.
          You've obviously never met Justices Blackmun, Breyer and Marshall.
      • Re:Long Overdue (Score:3, Interesting)

        by cayenne8 (626475)
        I think a MUCH better law, would be to legislate that one's personal data belongs to THEM, and that any company has to ask permission to house such, and MUST request permission to sell personal data or offer it for sale at all.

        If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.

        • Re:Long Overdue (Score:3, Interesting)

          by tezza (539307)
          You said: I think a MUCH better law, would be to legislate that one's personal data belongs to THEM,

          Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.

          Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.

          If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?

          e.g.:
          Eye Colour
          Retina Pattern
          A fingerprint
          A fingerprint and the finger

        • All this will accomplish is making sure that every single contract any company makes with an individual includes the right to do whatever the company wants with all of your personal information.
    • Re:Long Overdue (Score:4, Informative)

      by TubeSteak (669689) on Tuesday April 04, 2006 @10:25AM (#15057699) Journal
      This is going to lead to a certain amount of data hysteria once it gets passed.

      Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

      "Your information is unsafe" will become a new media theme, along with "kids shooting up schools", "female teachers sleeping with students" and "pretty white girl goes missing".

      BTW - businesses cannot go around redefining "breach" or "personal information", because the bill defines exactly what those are.

      If you read the text of the bill [loc.gov] they've dodged out on specifying some of the trickier parts by using language like "Not later than 270 days after the date of enactment of this Act" to require the definition of certain aspects of the bill. Very poor idea, as it gives the lobbyists something to aim at weakening.

      It's sponsored by a Republican from Florida and co-sponsored by a stack of other R's. Good idea, possibly poor implementation.
      • Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

        GOOD!

        You say that like it's a bad thing. People NEED to be aware of this.

      • Re:Long Overdue (Score:3, Insightful)

        by Hrodvitnir (101283)
        Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

        Don't worry, after a couple months it will become such a beaten dead horse, everyone will think "Oh, this stuff happens all the time. My chances of having my identity stolen are next to nil." And the notice gets tossed in the trash never to be worried about again.
      • I don't think the government should have to levy fines against violaters. By simply forcing companies to announce security violations, Adam Smith's invisible hand will make poor security a competitive disadvantage to those possesing it.
        • The hand's already half-tied. Corporations are special treatment from the government in exchange for additional rules and regulations. This is simply the price of government-protected limited liability.

          Don't want to follow it? Don't incorporate.
      • It's sponsored by a Republican from Florida and co-sponsored by a stack of other R's.


        Those damn Republicans, trying to protect your private data. What will they think of next?
    • let's see:
      In California we have a law that requires notification of data privacy breaches. Remember Choicepoint being in the news? That was CA's 'fault.'

      In California the law allows people to put a Credit Freeze on their account. Far stronger than a 'fraud alert,' this requires the person to temporarily lift the freeze in order to add new credit. Makes life most difficult for identity thieves. Also makes it harder for new companies (no pre-existing relationship) to offer credit, so the person misses out on
      • Funny, this new law guts California's law.

        No it doesn't. California's law is stricter that this new act, and complying with DATA won't protect a company from being proscecuted for not complying with the CA act. Federal law only overrides state when the federal act is stricter.

        As an example, let's take minimum wage laws. If Congress raises the federal minimum wage, everybody has to pay at least that much, even in states where the state minimum is lower. However, if you live in a state where the local

        • You're right in general. My reference is to the Financial Data Protection Act of 2005 passed by the House Financial Services Committee two weeks ago. As this article on HR3997 [enterprise...eforum.com] says:

          "The legislation also pre-exempts any state laws mandating breach disclosures to consumers. According the Consumers Union, 11 states currently have stricter notification standards than H.R. 3997, including a California law that has resulted in numerous consumer notifications over lost data tapes and database breaches."

          If DATA isn
  • Tax payers get to pay for yet another government audit agency (or group within an agency FTC) that audits companies. Boy the IRS isn't a bloated piece of shit or anything. I guess someone has to make sure the govt can fine people/companies.
    • by Theatetus (521747) on Tuesday April 04, 2006 @10:01AM (#15057468) Journal

      You work for ChoicePoint or something?

      Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.

      • corporate regulation is understandable in light of dicks like Enron, but it's very very expensive for businesses. Boo-hyphen-hoo, you may say. However, if it costs more for a company to operate, they'll charge more. It'll cost you more as a consumer.
        It could be argued that Sarbanes Oxley and the raft of other regulation is overkill. You might argue that companies should have some damn sense of what's right and what isn't, without needing to be regulated down to the tiniest level.
        Alternately you could
        • You might argue that companies should have some damn sense of what's right and what isn't, without needing to be regulated down to the tiniest level.

          You could say the same thing about people, but I don't think it's out of place to say there should be laws against people killing, stealing, defrauding, etc.

          Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...

          Happy? No. Convinc

          • The problem is that the options aren't, "get raped by companies or pass laws like S/O or this." There are other options as well. For example, you could work with the companies that will be affected, have them explain their business processes and how oversight will impact them, and then pass very specific, very detailed regulations that constrain businesses in ways that help consumers without constraining them by default in ways that do not help.

            One great example with S/O is data retention. It makes sense to
        • Alternately you could argue that you don't trust any company, and would want them to undergo expensive and painful audits - and that you'd be happy as a consumer to pay for that...

          You mean there are people out there that actually trust, private companies?!!

          Private companies are the most untrustworthy entities on planet earth. They exist for one reason and one reason only, making money by whatever means necessary. If your "trust" in them stands in the way, they'll gladly walk all over it. Nay, eagerly. At
          • You have it exactly backwards. It's the /public/ companies (ie, corporations) that exist purely to increase shareholders' bottom-lines. Private companies exist for whatever purposes their respective proprietors assign to them.
    • Well, what would you prefer? That we rely on companies to admit that they screwed up?
    • by Anonymous Brave Guy (457657) on Tuesday April 04, 2006 @10:09AM (#15057548)

      The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.

      If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.

      At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.

      • If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the ti

    • Tax payers get to pay for yet another government audit agency (or group within an agency FTC) that audits companies.

      Tax payers pay for a lot more than that...
      (speaking as a non-american looking at all those acts and bills)

      CAN SPAM : Controlling the Assault of Non-Solicited Pornography And Marketing
      DATA : Data Accountability and Trust Act
      USA-PATRIOT : Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
      ... and I bet you have a lot more ...

      Som

  • It's certainly about time they did something. But, I'm sure loopholes will easily be found as soon as the campaign contributions start rolling in. Also, I assume everyone noticed the acronymn. It reminds me of Gnus Not Unix.
  • Does this law apply if my privacy is violated due to a breach of law done by a government agency?

    Oh, wait...
    • Re:The gov (Score:3, Interesting)

      by bubbasatan (99237)
      Apparently, there was a recent security breach relating to a computer housing data from one of the retirement programs in the state of Georgia. Data was stolen, including names, SSNs, banking info, etc, and the state sent a form letter with applications for retrieving credit scores. Although this isn't quite the same as what you are saying, it is a breach that occurred on the government's watch. Do government agencies have the same notification duties as companies under this new legislation? Who holds g
  • by tropicdog (811766) on Tuesday April 04, 2006 @09:58AM (#15057430)
    I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.
    • They better in order to meet the definition of the bill which is

      The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no su

  • So, does this mean Equifax is required by law to tell me someone else is using my social security number?
  • by Thaelon (250687) on Tuesday April 04, 2006 @10:01AM (#15057462)
    How the hell would you know if this law was ever broken if they don't tell anyone?
  • by saden1 (581102)
    Why the god damn FTC? They are a worthless bunch idiots, not that congress isn't full of those.
  • Such a law won't pass. It't too anti-business.
  • Now the government is using recursive acronyms? I thought that the FSF had a patent on that...
  • Exemption... (Score:5, Insightful)

    by Olmy's Jart (156233) on Tuesday April 04, 2006 @10:08AM (#15057539)
    But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.
    • If they took reasonable care to encrypt their data effectively then I wouldn't object to that provision. However, if all they have to do is have their database engineers ROT13 all the names, this sounds like the gotcha where the new act actually improves things for businesses, as an earlier poster predicted.

    • Re:Exemption... (Score:3, Insightful)

      by Billosaur (927319) *
      But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.

      Even if the encryption isn't lame or broken, it's still data out there on the loose. How long would it take to crack, given all the available informatio

      • This also fails to address the threat of an inside job. It doesn't matter how well encrypted your data is if the bad guy has the keys.

        I think that what needs to happen is for someone to do a complete analysis of why having data hordes is dangerous - is it because it's inherently dangerous for someone to know too much about you or is it because anyone who appears to know too much about you is assumed to "be" you by money lenders, law enforcement, etc?
      • Almost all recent encryption software support at least AES-128, so the algorithms are rock-solid. "Tricks and simple algorithms" aren't the problem.

        The problem is encryption key management. Where do you store that AES key? Obfusacated in a binary? In your backup scripts using permissions to prevent unauthorized access?

        I do best I can and use public-key encryption for encrypting backup data (OpenPGP), with the secret keys escrowed offline. But this doesn't work for "live" data that needs encryption. The secr
    • Re:Exemption... (Score:5, Informative)

      by amliebsch (724858) on Tuesday April 04, 2006 @10:30AM (#15057746) Journal
      There's an exemption if they encrypt their data - even if the encryption is lame or broken.

      It doesn't say that! Stop making stuff up.

      The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

      Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.

      • To give you an example... Some examples taken from WiFi for illustration... WPA is suppose to be better than WEP. It uses better hardened cryptography, such as would be approved here. It can use AES (WPA2 mandates support for it) and it uses TKIP. But... WPA-PSK is abysmally weak. Capture 4 packets of the WPA-PSK handshake (which you can force) and you can then do an off-line brute-force attack on the pre-shared key. If that PSK/passphrase is less than, say, about 24 charracters, you can break it.
        • But... WPA-PSK is abysmally weak

          Sorry, but that is pure FUD. WPA-PSK is not "abysmally weak". WEP is "abysmally weak". You cannot, in any reasonable length of time, brute force a WPA-PSK key of length any more than 8 characters, especially if they are numbers, capital letters, symbols etc. Heres a hint, go to this password generator [grc.com], get a key, and you are safe, despite using the ""abysmally weak" WPA-PSK. Do you want to brute-force that? Your 24 character limit is bogus. Try it yourself, make a WPA

          • Maybe a little more research is in order here...

            http://www.linuxjournal.com/article/8312 [linuxjournal.com]

            From that article:

            In November 2003, Robert Moskowitz, a senior technical director at ICSA Labs (part of TruSecure) released "Weakness in Passphrase Choice in WPA Interface". In this paper, Moskowitz described a straightforward formula that would reveal the passphrase by performing a dictionary attack against WPA-PSK networks. This weakness is based on the fact that the pairwise master key (PMK) is derived from the combin
    • From The Bill: (Score:4, Insightful)

      by TubeSteak (669689) on Tuesday April 04, 2006 @10:31AM (#15057767) Journal
      http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.412 7: [loc.gov]
      Sec 5. (1) ...The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised
      That's a great clause, even though it opens the door to conflicting expert opinions. They absolutely have to include a reporting mechanism into the law, so that there is a timely way to get the issue heard and resolved.
    • (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate manage
  • The nice thing about a law like this is not that we'll be informed, but rather that companies will be more cautious with the data, knowing that they'll HAVE to inform us if they screw up.

    Less laptops flying coach with 20,000 credit card numbers in an excel spreadsheet on it. (My next door neighbor got a nice paper-mail note from an company that let a laptop get snatched just last week.)
  • Let us count the ways:

    1) amendments
    2) exceptions (gov't, big business, telcos)
    3) loopholes
    4) unclear/incomplete definitions
    5) enforcement (is the FCC the best choice?)
    6) insert your scenario here

    It sounds good, but the devil (as usual) is in the details.

  • We've had all these reports in congress about how unprepared the nation is for cyberwar. This seems like one pretty good market based approach to increasing our preparedness (though others may be necessary). If companies have greater risk exposure for insecure data, they have a greater fiduciary responsibility to secure it. A simple solution that Adam Smith could be proud of.
  • I'm curious as to what will be defined as "personal data." Email address? What about MRU lists or cookies? Also what's the definition of "notify." Does it count as notification if the company puts a one line blurb at the bottom of it's website? This legislation may be utilitarian in spirit, but I fear the letter of the law will change little. Business as usual...
  • Did they actually come up with a recursive acronym? is there a geek advising them? there's hope!!! WHEE!!!
  • The bill requires consumers to be told if their privacy has been violated because of a breach.
    So phone companies will be required to notify customers if the NSA illegally wire-taps their line under a Holy Decree -- er, I mean "executive order" from King George?
  • by PIPBoy3000 (619296) on Tuesday April 04, 2006 @10:25AM (#15057696)
    At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.

    What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.

    Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

    What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
    • While I agree that this is an expensive cost for small businesses, I disagree that it would "bankrupt small organizations".

      Why? Because of insurance. If this bill passed, insurance companies would just start offering up another service as soon as they figured out a risk forumla to calculate the price they're going to set.

      Now... in the medical field, insurance is a big cost, but a 'small' (generally defined as less than 500 employees) business should have less to lose & so, less fees to pay for coverage.
    • A smaller business would have fewer customers and therefore not have to spend as much. Any business where sending a form letter to customers is a prohibitively high cost is probably sick and likely to go under anyway.

      Given that it can take up weeks or months to clear up your credit history and potentially costs thousands of dollars if someone uses your information to open fraudulent accounts, I don't think it's unreasonable to ask companies to send a letter when they fail in their legal obligation to prote
    • Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

      I think that's the point of this kind of law. It hits both big and small organizations hard when they screw up. Provides some significant incentive to tighten up security policies. Just like your example, why the heck did someone leave backup tapes in a car unattended? Seems like they weren't taking their security very seriously.
    • My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization....Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

      Any business that allows it backup tapes to be ferried around in the back of a car doesn't deserve to be in business.
  • Now in addition to PIN Numbers and ATM Machines [fun-with-words.com], we'll have the DATA Act.
  • Is slipshod security practices within a company. Sure security breaches are pretty damn scary, but I've worked with some PRETTY big company who had some pretty lousy security practices, and should know better. I recently worked with a HUGE payroll company to outsource my employer's payroll to them. The task fell to me to export all the data from our existing payroll system, perform some data hygene, and send it to this payroll company in delimeted format.

    They suggested that I simply attach the .tab files
  • by digitaldc (879047) * on Tuesday April 04, 2006 @10:41AM (#15057855)
    PICARD: What's the problem, Mister Data?

    Data turns to them.

    DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.

    They react. Data indicates the phishing email on the screen. They walk up to it...

    DATA: It is the flashpoint of a privacy invasion. And it is expanding.

    PICARD: Expanding... I thought phishing scams were suspended on this ship?

    DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.

    TROI:Why didn't we notice it before?

    DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.

    PICARD: Is there any way we can stop it?

    DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.

    Picard stares at the screen for a long moment...becoming very thoughtful...

    PICARD: Astonishing... to see our identities stolen like this...
  • by PrvtBurrito (557287) on Tuesday April 04, 2006 @10:41AM (#15057862)
    Dear PrvtBurrito,

    We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:

    [Click here to update your account]

    If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.

    Thank you for using PayPal (or whatever service is being spoofed)!
  • As a cynical American, I wonder what sort of riders are tacked onto this bill. In an administration where national ID card legislation is tacked onto a military spending bill, I wouldn't be surprised if we're signing ourselves into slavery here...
  • by rakerman (409507) on Tuesday April 04, 2006 @10:51AM (#15057943) Homepage Journal
    Is it just me, or do these legislators spend more time thinking up clever titles that spell out words than on the actual content of the bills?
  • Encrypting your data in bulk is not a bad security measure. However, if the breach does not involve the mass theft of encrypted data files, but rather a break in normal access methods, the encryption does not provide any protection at all.

    You still have to deal with "trusted user" abuse as well as protecting the API that allow normal decrypted access to the data.

    Imagine being the systems/database admin who has to report a data loss to management.
    Management will have a very hard time understanding that data
  • Secure Transactions (Score:3, Interesting)

    by Doc Ruby (173196) on Tuesday April 04, 2006 @11:08AM (#15058123) Homepage Journal
    I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.
  • Somewhere at the bottom of the EULA that nobody can read? Encrypted in a billion lines of legalese that makes your eyes water and is essentially unreadable to the normal human being?

    I'm not even concerned about the various loopholes and excemptions that this bill will most likely have (I have to admit, I did not read it. Nor is it worth the time reading it 'til it's passed for the simple reason that if it COULD present a benefit against spyware in software it WILL be changed). Even without loopholes it's po
  • What if your privacy is breached by a third party?

    A credit card validation service?

    An outsourcing campany?

    The consumer is not the "customer", especially in the second case.
  • The US Congress has no mandate in the Constitution offering them any power over consumer privacy or information. The Interstate Commerce Clause was written to give the Federal government power to regulate the states to prevent them from taxing, tariffing or embarging interstate commerce: it was not meant to regulate commerce in any other way.

    This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notif
    • This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement. If the company won't do business with you, don't buy from them -- if you want a cheap price, you might be willing to forgo this contract feature.

      That's nice in theory, but one of the reasons we have government regulation is to help mitigate the asymmetry of power that prevents individuals from ever negot

      • it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.

        I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.

        Most of the acronyms you listed have their basis in previous
        • Dada, let me start by saying that I respect much of what you have to say, I read your gold blog weekly and have you friended and at +5 on slashdot, but I think in this case you're missing something. As you well know, the idea of an unregulated free market only works when all parties involved have full knowledge in a given transaction, in this case most of the people affected are not aware yet that there is a problem. I would argue that it will in fact be a long time before the public perception of this type
    • This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement.

      Wait a second. Why does a company require an express instruction not to sell my data, but can do as it pleases with my data without any approval implied or explicit?

      Is it implied that if I do business with a company that every detail of our transaction is forever available for that company to; use, sell, tr
      • And if companies choose to abuse their customer's trust by making private dealings public, then it's clear that legislation is needed.

        I don't see that as the case at all. There is no right to privacy if you openly put information out there. My father told me at a young age to never put anything in writing that I didn't want others to know and use against me. That is true with all my private information.

        I don't bank. I don't have credit cards. I don't trade stocks. I am living 100% on a gold hard money [unanimocracy.com]
    • The US Congress has no mandate in the Constitution offering them any power over consumer privacy or information. The Interstate Commerce Clause was written to give the Federal government power to regulate the states to prevent them from taxing, tariffing or embarging interstate commerce: it was not meant to regulate commerce in any other way.

      If the framers merely wanted to keep states from taxing, tariffing or embargoing interstate commerce, why did they just not say: "States shall not have the power to tax
  • Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.

    The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.
    • I agree, but certainly they will claim it falls fully under interstate commerce, especially considering much of this data is collected from people from various states across the internet. I'd actually think this would be one of the lesser stretches of the interstate commerce clause.

      This is my main concern:

      "If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of

  • by Plugh (27537) on Tuesday April 04, 2006 @01:55PM (#15059870) Homepage
    It's nice that consumers would be notified when our ostensibly private data has been spilled by businesses.
    But that's chump change compared to the damage that gets caused when government databases' content is lost, or unprotected.

    Now, given that:

    • Private businesses have a huge motive to avoid losing data -- when they do, customers are free to go elsewhere (and we do!)
    • You're not free to "go elsewhere" when your Government loses your data
    • Governments are likely to have way more sensitive and intrusive data than private businesses
    • You typically know exactly what info, say, the credit card company has about you. You typically have no idea what info the government has about you.
    • No database is 100% secure, no data is 100% safe -- especially not from humans with administrative access and plenty of reasons to leak the data
    • Which do you trust to get IT right: a make-or-break project for a company, or Yet Another Government Project?

    With all the above in mind, surely it makes sense to limit what data the Government collects, and to keep that data compartmentalized in local databases, rather than a nice, juicy, massive, single federal instance? Right!?!?!

    Yet, that's exactly what is happening right now, with the "Real-ID" bill. (Here's what Bruce Schneier [schneier.com] has to say on that).

    Every single U.S. State except one has lined up like crack addicts to accept the federal money to implement Real-ID. That one State is New Hampshire, aka the Free State [freestateproject.org].

    Here's a link to some pretty cool info about how and why the NH House rejected Real-ID:
    http://freestateblogs.net/node/306 [freestateblogs.net]

  • ...it sounds almost reasonable. A bill that would help protect real human beings against corporations ? And it's actually being seriously considered ?

    Clearly, the terrorists have kidnapped the real representatives and replaced them with pod people ! There's no other explanation for this.

Never underestimate the bandwidth of a station wagon full of tapes. -- Dr. Warren Jackson, Director, UTCS

Working...