CA Senator Pushing For Tightened Data Breach Notification 29
California State Senator Joe Simitian has introduced new legislation designed to tighten data breach notification requirements, forcing businesses to provide more information about any data that has been leaked in addition to notifying state authorities. What was not included in the legislation was imposed compensation requirements for data breach victims, and according to Simitian are not likely to be for quite some time. "Instead, the next focus of legislation, he said, would likely be on who should bear the cost of sending out notifications to consumers. For example, should a credit card processing company that experiences a breach be responsible for the cost of notifying bank customers? When retailer TJX discovered in 2006 that hackers had accessed credit and debit card numbers passing through its network, banks were left notifying the customers, then had to sue TJX to get compensation for those costs. Heartland Payment Systems, which experienced a breach of credit and debit card numbers in January, has recently been sued by banks to recover their breach notification costs."
Notification is useless (Score:2, Insightful)
What's the point of notifying the public that their data has been lost, when they can't do anything about it? At the very least, they should be able to sue in a class action. Ideally, there should be some government organisation that tracks down the identity/resource thieves, figures out what damage was done without the owner's knowledge, returns things to rights, then bills the company that leaked it for all the trouble caused. If the upshot is that people just get a letter saying they're screwed, then why bother? It's basically just a cop-out.
Re:Notification is useless (Score:5, Insightful)
Well for one, it means that the company responsible for the data breach is legally barred from initiating a cover-up that a breach ever happened. At least one instance of this has been reported on ./
Second, if more information is made public, then they will have the ability to make a class action suit.
Leaker pays, surely. (Score:5, Insightful)
It's fairly obvious that the cost of informing customers - and other related costs - should be borne by the organisation who failed in their duty to ensure the integrity and confidentiality of the data. After all, until we are at a point where it is cheaper to take the measures to keep the data safe than to be delinquent, companies are incentivised to be delinquent.
I'd be happier to see tighter tech requirements (Score:4, Insightful)
I'm going to try to avoid the "Microsoft Blame Game" as frankly that gets us nowhere. But I will say that there are some older technologies that work better for transaction processing and storage than some newer, more contemporary systems.
And frankly, even though some processing and transaction systems are very convenient for both processors and consumers, I think it just might be time to rein in many of these conveniences as implementation of any sort is simply too risky.
All these reporting requirements are intended to add pressure to companies to take their systems security more seriously, but frankly, they will never listen until you tell them EXACTLY what is expected of them. Businesses are in the habit of managing risk that they feel is acceptable, but the problem is, they don't mind risking other people's data or their lives or anything else if it's not theirs directly.
When people handle food, the government steps in with inspectors and laws and all sorts of things to help better ensure that your burger will not kill you. This has proven to work pretty well even though it has not stopped violators entirely. The same should be required of people handling sensitive financial and other personal information.
Notification is toothless, but not useless (Score:4, Insightful)
Having received one such notification, it prompted me to keep a closer eye on my credit report and weigh the option of freezing my credit report [consumerist.com], thus making it harder for anyone to use my personally identifying info to borrow money under my name.
In my case, a previous employer who was breached explained the circumstances (something they never would have done without the law), and offered to pay for credit monitoring (not required AFAIK). A very responsible approach to their mistake.
A friend who was hit by the Univ. of CA breach was notified because of the law, but not offered monitoring.
These notifications were useful to the affected individuals, even if their expense alone may not in itself have been enough to motivate better security procedures at the breached organizations.
And obviously, if it happens again soon at either organization, people will raise hell.
Its a start.
Re:Leaker pays, surely. (Score:3, Insightful)
Right, except that all the extra cost from the burden will still be passed on to customers.
I'd like to see a data purge law (Score:4, Insightful)
A recent personal example makes my point; I am a bit disturbed that both the University I graduated from decades ago, and the guy a bought a car from 3 years ago, both send me birthday cards... I don't find it a nice gesture, I find it just wrong that they have retained my personal ID info for their marketing purposes. Therefore I will stop donating to the university and I will not buy a car from that dealership again. (It's not like I signed up for the "birthday club" or anything. Obviously they have "mined" my data collected for other purposes.)
Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.