New Legislation Would Punish Mishandling of Private Data

An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"

Already in Europe

[paugq]

This kind of legislation has been in place in Europe for at least 20 years now.

I don't know the specifics of the proposed US law but in Europe:

• It has not promoted outsourcing, off-shoring, or anything like that. The law here is very picky on that: if you want to collect data from your customers, you take care of it, you cannot outsource that to some other company to avoid law.
• In fact, you cannot sell, loan or transfer personal data to any third party without getting explicit acceptance from the individuals affected
• In every company there is a person (physical person) responsible for each data "file" (i. e. a database with personal data). The company is only accountable for money but that guy is accountable for criminal offenses.
• Fines are pretty hefty. In my country, from 600 EUR (a very very very dumb issue, like publishing your name + ID card number in a report card) to 600,000 EUR (for some serious trespassing, like selling data to a third party).
• As a consequence, companies are careful and even the smallest ones they take some minimum security measures.