Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

The Data Accountability and Trust Act (DATA) 170

Posted by Zonk from the not-a-terrible-idea-for-once dept.
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
This discussion has been archived. No new comments can be posted.

The Data Accountability and Trust Act (DATA) More

The Data Accountability and Trust Act (DATA)

Comments Filter:

  • Existing medical laws (Score:3, Interesting)

    by PIPBoy3000 ( 619296 ) on Tuesday April 04, 2006 @10:25AM (#15057696)
    At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.

    What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.

    Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

    What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.

  • Re:Long Overdue (Score:3, Interesting)

    by cayenne8 ( 626475 ) on Tuesday April 04, 2006 @10:28AM (#15057728) Homepage Journal
    I think a MUCH better law, would be to legislate that one's personal data belongs to THEM, and that any company has to ask permission to house such, and MUST request permission to sell personal data or offer it for sale at all.

    If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.

  • Re:Long Overdue (Score:4, Interesting)

    by amliebsch ( 724858 ) on Tuesday April 04, 2006 @11:03AM (#15058072) Journal
    The same law that prevents me from spying on my neighbor, and collecting information about him

    But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?

  • Re:The gov (Score:3, Interesting)

    by bubbasatan ( 99237 ) on Tuesday April 04, 2006 @11:03AM (#15058073) Homepage
    Apparently, there was a recent security breach relating to a computer housing data from one of the retirement programs in the state of Georgia. Data was stolen, including names, SSNs, banking info, etc, and the state sent a form letter with applications for retrieving credit scores. Although this isn't quite the same as what you are saying, it is a breach that occurred on the government's watch. Do government agencies have the same notification duties as companies under this new legislation? Who holds government accountable when their data security is inadequate and/or fails?

  • Secure Transactions (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Tuesday April 04, 2006 @11:08AM (#15058123) Homepage Journal
    I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.

  • Re:Unconstitutional and Unnecessary (Score:3, Interesting)

    by dada21 ( 163177 ) * <adam.dada@gmail.com> on Tuesday April 04, 2006 @11:45AM (#15058482) Homepage Journal
    it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.

    I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.

    Most of the acronyms you listed have their basis in previous regulations that failed, or previous favoritism ("cronyism") that created a maze that prevented competition from entering the market that you say failed. I have no hope in new laws fixing any problems at all, they'll just make things worse so the door is opened for more laws in the future.

  • Re:So how much is this going to cost? (Score:3, Interesting)

    by Anonymous Brave Guy ( 457657 ) on Tuesday April 04, 2006 @11:50AM (#15058529)
    ChoicePoint

    They created an entire new division that ONLY deals with privacy and security issues, have institued a number of new policies, ALL employess now go through extensive background checks (causing my team to have to turn down a couple of otherwise good applicants due to irregularities that they couldn't explain) and a $10 million fine at the end of last year.

    Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?

  • Re:Long Overdue (Score:3, Interesting)

    by tezza ( 539307 ) on Tuesday April 04, 2006 @12:17PM (#15058811)
    You said: I think a MUCH better law, would be to legislate that one's personal data belongs to THEM,

    Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.

    Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.

    If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?

    e.g.:
    Eye Colour
    Retina Pattern
    A fingerprint
    A fingerprint and the finger it comes from
    Your first name
    Your full name

    You can bet your last pence that Direct Marketers would start the scope creep to etch away at what would be considered Personal Data, and you will end up with those fuckwits STILL protected by law and still unaccountable.

  • Bill would be unconstitutional (Score:2, Interesting)

    by TonyXL ( 33244 ) on Tuesday April 04, 2006 @01:24PM (#15059535) Journal
    Congress has no authority to regulate this. If a particular state wanted to pass such an act, and they were within their constitutional limits to do so, then fine.

    The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.

Slashdot Top Deals

The one day you'd sell your soul for something, souls are a glut.

Close