The Data Accountability and Trust Act (DATA) 170
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
Existing medical laws (Score:3, Interesting)
What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.
Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.
What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.
Re:Long Overdue (Score:3, Interesting)
If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.
Re:Long Overdue (Score:4, Interesting)
But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?
Re:The gov (Score:3, Interesting)
Secure Transactions (Score:3, Interesting)
Re:Unconstitutional and Unnecessary (Score:3, Interesting)
I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.
Most of the acronyms you listed have their basis in previous regulations that failed, or previous favoritism ("cronyism") that created a maze that prevented competition from entering the market that you say failed. I have no hope in new laws fixing any problems at all, they'll just make things worse so the door is opened for more laws in the future.
Re:So how much is this going to cost? (Score:3, Interesting)
Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?
Re:Long Overdue (Score:3, Interesting)
Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.
Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.
If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?
e.g.:
Eye Colour
Retina Pattern
A fingerprint
A fingerprint and the finger it comes from
Your first name
Your full name
You can bet your last pence that Direct Marketers would start the scope creep to etch away at what would be considered Personal Data, and you will end up with those fuckwits STILL protected by law and still unaccountable.
Bill would be unconstitutional (Score:2, Interesting)
The better option would be for customers to only deal with companies who have a legal agreement to disclose breaches.