Forgot your password?
typodupeerror
Government Privacy Your Rights Online

New Legislation Would Punish Mishandling of Private Data 187

Posted by Soulskill
from the forty-days-in-the-chamber-of-fire dept.
An anonymous reader writes "A bill introduced Thursday by Senator Richard Blumenthal (D-CT) would regulate the handling of consumers' private data and punish companies who screw it up (e.g. Sony). 'These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to stiff fines.' Blumenthal told the NY Times, 'The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I've been struck with how many are preventable.'"
This discussion has been archived. No new comments can be posted.

New Legislation Would Punish Mishandling of Private Data

Comments Filter:
  • by Jerry (6400) on Friday September 09, 2011 @02:07PM (#37355318)

    insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent group of people on the planet?

    • by blair1q (305137)

      And you have a better rulemaking system?

      • Re: (Score:3, Insightful)

        by edmanet (1790914)
        Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.
        • by djdanlib (732853)

          You'd REALLY like to think so. So would I. Unfortunately, all of history proves that your average (key word: average) customer is about as smart as a bag of rocks. All you need to do is give them a good sales pitch, and they don't even bother to read the fine print on the paper you hand them! It's really sad and one of the reasons I needed to get out of retail so long ago.

          • by trout007 (975317)

            So let me get this straight. Most people are too dumb to make import decisions about things. But somehow they are smart enough to vote for people that are smart enough to be able to make rules that force them not to do things they would otherwise do? That doesn't make sense. If they are too dumb to make important decisions what particular magic happens in the voting booth that makes them able to figure out who to vote for?

            • by djdanlib (732853)

              You're on the path to the uncomfortable realization that the vast majority of people don't care to be smart, because it's hard and doesn't immediately benefit them. Laziness trumps everything else.

              On average, people aren't smart enough to vote for anyone who will lay down solid foundations. They're too lazy and/or selfish. Instead, it's a giant game of I'll-scratch-your-back-if-you-scratch-my-back based on the hot topics, like tax breaks and all that entertaining mud slinging. Poll around, see how much peop

              • by trout007 (975317)

                Not at all. I have realized a long time ago that everyone is an expert on one thing. What makes them happy. The problem comes in when what makes one person happy is not what another person thinks should make them happy and they are prepared to use force to make them conform. The truth is some people are happier:

                Being addicted to drugs rather than living sober
                Living in poverty where they have no responsibilities
                Hooking up with anything that moves disease be damned
                Working a minimum wage job with little respon

                • by djdanlib (732853)

                  Interesting counterpoint. You can't make someone change something they don't want to change - that's a maxim of any social service group out there.

                  That philosophy sounds good at an individual level. Now consider it on a larger scheme than the individual. Imagine a collective societal unit of lazy/selfish/greedy people voting for whatever they think will most immediately benefit each of them personally. They aren't even considering other members of their group, just themselves. Then we wind up with a politic

                  • by trout007 (975317)

                    I also happen to believe from personal experience that you have to suffer in order to change. Anything someone does to relieve your suffering is committing a grave injustice.

                    Take a drug abuser for example. If they are happy living that way fine. If they are unhappy because they can't keep a job and are broke and homeless it is an injustice to just give them money or a place to live. They need to suffer in order to get to the point where they are serious about stopping and then they can stop on their own.

                    • by geekoid (135745)

                      what a quaint little 1950's belief.

                    • by trout007 (975317)

                      Just because it's quaint doesn't mean it's false. I never knew a friend that at the behest of friends and family turned their life around. It was only after hitting rock bottom and finally wanting to change did they do so.

            • by geekoid (135745)

              YOU faulty premise is that people in Washington aren't smart. Clearly they are. So stopping looking a decision as stupid, instead ask why.

              DC has be incredibly successful at creating laws that establish a minimum bar.

        • by eldepeche (854916)

          So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employe

          • So instead of being assured of a standard level of security, customers (including people who sign up to comment on a website, people who want to use a bank and people who like to buy things on the internet) have to sort through the security policies of each provider and decide if it's good enough. Oh, and they also have to decide whether or not to believe the company's description of their data security policies. Does the company issue laptops? Do they require laptop drives to be encrypted? Do their employees write their decryption keys on a label stuck to the bottom of the laptop? Who knows?

            Who cares?

            If you want to just act without thinking or analyzing, you're utilizing trust.

            When you trust, you can be screwed over if you don't know who/what it is you're trusting.

            Get smart or get..... fart. Ed. On. :)

            • by eldepeche (854916)

              Without the government to sort out conflicts and enforce penalties, everyone has to trust the companies they do business with as well. You can do all the analysis in the world, people are still going to screw you over. The government can't be 100% effective, and neither can a customer. They can either invest huge amounts of time researching data retention policies (and eventually get burned anyway), or get repeatedly screwed over, or withdraw from the non-cash economy.

              Of course, the main difference is that

        • by uniquename72 (1169497) on Friday September 09, 2011 @03:01PM (#37356184)

          Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business ... More laws are not always the best answer.

          Obvious problem: There's no impetus (without laws) for any company to ever tell you that they've lost your data. So your model fails completely.

          • by lgw (121541)

            That's very true. But it's always better to regulate the goal, not the method. Fines for data loss are useful, governmnet-specified security procedures? Nearly useless. Heck, there's a stupid amount of data loss from "PCI-compliant" companies already. Convincing the auditors that you're secure against a set of rules doesn't seem to be the ideal security solution.

        • by SomePgmr (2021234)
          I really do want to agree with you, but I don't think that'd play out like that.

          If they get hacked enough, they go out of business.

          You'd think after months of regular hacks, service downtime, DoS'ing, compromised customer info published all over, a long history of screwing their customers, etc., Sony would've been a prime candidate for this. Instead they hired a token g-man and went on with business as usual.

          Do the customers get hurt? Sure. They get smarter too.

          Again, I wish they would... but that doesn't seem to be the case. When a customer weighs their privacy and financial security against being able to

        • by webheaded (997188)

          Yes. Darwin's system. When a company gets hacked and customer's information is taken, they lose business. If they get hacked enough, they go out of business. Do the customers get hurt? Sure. They get smarter too. If a company is smart and secures their data, then they don't get hacked and they keep their customers and the customers don't get hurt. More laws are not always the best answer.

          I think the real point here is that I shouldn't have to keep getting screwed when I have absolutely no say in the matter. I don't KNOW what a company's internal security practices are like so how the hell am I going to be able to do anything about it? What you're saying is ridiculous. You can't know until it is too late and that doesn't seem to really convince anyone else but the company that was attacked to actually do something. So no, your "Darwin" system fails in my mind. I don't see that would eve

          • I don't get this huge hate for any and all regulation. Sometimes it is necessary. To say it is always necessary or that it is never necessary just makes you sound like a jackass. Come over here and live in the real world with the rest of us, please.

            I agree wholeheartedly. I think one of the big reasons regulation gets so much hate is poorly implemented regulations giving the broader concept a bad rap. In general terms I think the right way to regulate is to establish minimum standards that give a baseline of what is acceptable behavior. Behavior below that standard is in some way harmful to the public, which is what prompted the creation of regulation in the first place. Regulation should focus on what one should NOT do ("don't poison people's drinkin

        • by geekoid (135745)

          Wow, you really ahve no clue of the market, do you.

          Why would companies disclose there was a problem at all? What about companys where their really isn't an alternative? what about industries where all the players stop caring because it cost money, and hey they don't have anyplace to go.

          You do know business used to be run without regulation, right? and people where killed from a variety of things they HAD NO CONTROL OVER.

          The is why there is regulations. Please try to understand that. For one of many, many ex

        • Darwinism is not a system. It's anarchy and chaos.

          Which is what you would seem to prefer.

      • by Entrope (68843)

        Sure: A liability system. If a company leaks my private data due to insufficient care, let me sue them (either individually or as part of a class) to help restore the security of that data, or at least to compensate me for the loss. Instead of saying "thou shalt follow these rules", just say "thou shalt have effective controls", and let companies or industry groups figure out how to live up to the duty to protect private data.

        • by hrvatska (790627)
          Who, specifically, would decide what constitutes the rules of insufficient care? Who are 'companies or industry groups'? Why can't consumers sue now? Who decides how much a breach is worth?
          • by Entrope (68843)

            Courts would decide whether a data holder fulfilled a duty to protect data they hold, just like they decide (as necessary) whether people or groups fulfil fiduciary or other duties under other laws.

            Companies are companies. Industry groups are what companies form when they have a common problem to solve, and working together to solve that problem is better than trying to solve it separately. (Courts might accept industry standards as sufficient care, or they might not. I would just expect companies to com

            • by eldepeche (854916)

              It sounds like you just invented a regulatory process, congratulations.

              Of course, regulations based on torts are pretty inefficient (compared to rules made by professionally trained bureaucrats), since legal services cost a lot of money. Imagine a check cashing company with a data breach: all the customers are poor and relatively powerless, so they can collectively hire a lawyer on contingency if they want the company to face consequences. Not much of a deterrent, compared to an automatic review process and

              • by Entrope (68843)

                If you think what I described is a regulatory process, you clearly have experience with neither courts nor regulatory processes. Do you think the courts act as a regulatory process for insurance fraud or murder?

                "Professionally trained bureaucrats" sounds like a criminal class by definition. They should not make rules for anyone except other career bureaucrats. The rules they make are the products of regulatory capture by some of the companies being regulated: The bureaucrats either need to be taught by t

                • by eldepeche (854916)

                  It's not possible under current law, and it would create an avenue for restitution to customers that would serve as a deterrent to certain behavior (lax security practices). I'm using a fairly loose definition of "regulatory process," but instead of the government pursuing action, you would have individuals (presumably after government-mandated disclosure?).

                  I see no reason to believe the legislation assigning liability for data breaches to companies (contingent on their lack of sufficient security practices

                  • by Entrope (68843)

                    The comment that started the thread explained the reason for doubting that government-created rules would generate good outcomes, but apparently you can't remember that far back.

      • Money buys power. (Score:3, Insightful)

        by rlglende (70123)

        Who do you think is asking for the rules? The same stupid corporations who can't ever provide decent security, of course.

        Before the rules are settled, companies will be immune to lawsuits from mere plebians who are injured by their screwups.

        Money buys power, so you can be sure this will be included in any rules.

        Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy produci

        • by rlglende (70123)

          The FDA is NOW responsible etc.

        • by eldepeche (854916)

          Since the FDA is responsible for approving drugs for sale in the US, they are responsible if people die of treatable diseases elsewhere.

          Therefore, we shouldn't worry about companies storing their customers' personal information unencrypted on a laptop they leave in their car in plain sight, because the market.

          • by rlglende (70123)

            And these statements relate to 'money buys power', and the consequences thereof, how?

            The US's drug industry develops more than half of the drugs in the world. The first thing they tell you in a drug development course is that no drug can be considered unless it has a $2B/year market because it takes $500M - $1B to get a drug to market, averaged over all of the efforts.

            Thus, a very low rate of new drug development despite the rapid decrease in the costs (10 cents / drug, 10 years ago when last I looked at t

            • by eldepeche (854916)

              The acid rain program in the 1990 clean air act set maximum levels of sulfur emissions, set per-coal-burning-unit targets and provided an incentive for reductions beyond that target (tradable emission credits). Emissions were successfully reduced, starting with the units where it was most economical to do so.

              I don't think anyone said that regulations don't have unintended consequences. They move the equilibrium to a place deemed more socially beneficial. The FDA makes medicine more expensive, but it also fo

            • by hrvatska (790627)

              Regulations eliminating lead in house paint and on toys were certainly a good thing and well worth the costs. The clean water act and its attendant regulations have been responsible for a great deal of the improved water quality in the US. The benefits of the clean air act far exceed its costs. Sulfur dioxide emissions declined 40 percent as a result of the Clean Air Act, nitrogen oxide 30 percent; volatile organic compounds 45 percent; carbon monoxide 50 percent, particulate matter by 75 percent; and le

        • Who do you think is asking for the rules?...

          Probably someone (Senator Richard Blumenthal) who got screwed over. Now, instead of "caring" and "listening to the concerns" of those involved, he will actually act.

          Just a hunch here... Just a hunch.

          • by rlglende (70123)

            Most legislation begins as a method of soliciting campaign donations.

            In any case, how does this disprove "money buys power" and the consequences thereof?

            The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

            • Most legislation begins as a method of soliciting campaign donations.

              You are so correct on that one, my friend. I concede, completely.

              The political problem around the world is now 'oligarchs' vs the rest of us, but most people are stuck in the 'left vs right' or 'corporations vs people' mindset.

              I understand you here and my mind agrees from every angle, but I'm not sure how you got on it. What did I miss?

        • by TubeSteak (669689) on Friday September 09, 2011 @03:22PM (#37356490) Journal

          Additionally, the world is far too complex for any set of rules to cover all the cases. The greater the complexity of the rules, normally proportional to the age and size of the bureaucracy producing them, the higher the rate of perverse consequences. For example, the FDA is no responsible for most of the deaths around the world, all due to "'that drug doesn't exist yet" or "you can't afford the drug".

          Thus, regulations NEVER work, always have unexpected and/or perverse consequences.

          Name a set of regulations that work. Provide an economic evaluation of their consequences vs 'market solutions'.

          What a logical clusterfuck.
          Regulations NEVER work?
          Is your drinking water clean? Is there lead in your paint? Is melamine used as a filler in your food products?
          Did you have to work 12 hour days in an unsafe factory starting at the age of 8?

          Your question is just another version of "What have the Romans ever done for us?" [youtube.com]
          The answer is "a lot" and whoever modded you up should be ashamed of themselves.

          • by trout007 (975317)

            If you really think that the only reason companies don't intentionally kill people is because of laws you are beyond hope. You drinking water is only clean enough to pass regulations. But many people aren't satisfied by this hence the market for water filters. So it's pretty obvious there are companies out there trying to provide products that people want because the regulations aren't doing it,

            Lead was used in paint for a very long time. Only when it was shown to cause problems did people want it out of th

            • by eldepeche (854916)

              Replace "intentionally" with "negligently" and you won't be far from the truth.

              The regulations help ensure that tap water won't kill anybody. I think that's a pretty reasonable floor for water quality. The fact that some people are willing to pay for slightly cleaner water does not mean that everybody else should be subjected to unsafe water, necessitating further filtration.

              Lead was used in paint for a lot of reasons: drying time, color duration &c. Making paint without lead meant it was more expensive

    • by mr1911 (1942298)

      insecurity due to evil intent or incompetence, corporations will now have to follow rules made up by the most incompetent, evil intent group of people on the planet?

      FTFY

      • by eldepeche (854916)

        FTFY

        By making it grammatically incorrect?

        • FTFY

          By making it grammatically incorrect?

          They dun americanizdeded it tthat makes it gramarticalicly kerrect!

          HUMOR, HUMOR.

        • by mr1911 (1942298)
          That was a special present for the grammar patrol.

          Your welcome!

          (Poor grammar is the gift that keeps on giving.)
    • Maybe this will provide disincentive to companies that simply snarf up all possible personal data because they can (I'm looking at you, Facebook). This is by far one of the most annoying trends as of late. That's why Game! [wittyrpg.com] doesn't ask for any personal information (because it doesn't need it) and makes email optional (if you want to be able to recover your account). Perhaps others will follow suit...

      • The law will likely make no distinction in the kind of information - once they have your name, they will have to comply. And, hell, if they have to comply they may as well get as much as possible so they can sell it.

    • Uh... better than nothing at all?
    • All fines do is hurt the stockholders, not the executives responsible for the fuckup.

      Too bad Peter Schiff didn't win that Senate seat, because then you'd see some real change.
  • The article mentions that they would have very specific requirements for the method by which data is protected. Not having seen the specifics, if they get too specific, I would be rather suspicious of the law becoming a barrier to future improvements - what they think of today as being "the right way" to do it doesn't mean it's the ONLY way and could end up being prohibitive based on the architecture of the system in question. I'm just sayin...
    • by TubeSteak (669689)

      Personal Data Protection and Breach Accountability Act of 2011 [govtrack.us]

      SEC. 303. ENFORCEMENT.

      (a) Civil Penalties-

      (1) IN GENERAL- Any business entity that violates the provisions of sections 301 or 302 shall be subject to civil penalties of not more than $5,000 per violation per day while such a violation exists, with a maximum of $500,000 per violation.

      (2) INTENTIONAL OR WILLFUL VIOLATION- A business entity that intentionally or willfully violates the provisions of sections 301 or 302 shall be subject to additional penalties in the amount of $5,000 per violation per day while such a violation exists, with a maximum of an additional $500,000 per violation.

      "Stiff" penalties my ass.

      SEC. 312. EXEMPTIONS.

      (b) Safe Harbor- An agency or business entity will be exempt from the notice requirements under section 311, if--

      (1) a risk assessment concludes that--

      (A) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the encryption of such information establishing a presumption that no significant risk exists; or

      (B) there is no significant risk that a security breach has resulted in, or will result in, harm to the individuals whose sensitive personally identifiable information was subject to the security breach, with the rendering of such sensitive personally identifiable information indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, which are widely accepted as an effective industry practice, or an effective industry standard, establishing a presumption that no significant risk exists;

      Motherfuckers. Breaches of security are just as relevant to the public as loss of data.
      My suspicion is that by the time this comes out of committee and works its way to Congress,
      it'll be so watered down that private businesses will be clamouring for it to be passed.

      • by TubeSteak (669689)

        And this is an associated piece of legislation:
        Data Breach Notification Act of 2011 [govtrack.us]
        It uses a lot of the same language, but has different dollar penalties attached to breaches.
        I haven't really given it a good read-through, but it seems to provide the caps on damages like the other bill

  • A far better policy (Score:3, Interesting)

    by cowwoc2001 (976892) on Friday September 09, 2011 @02:16PM (#37355462)

    A far better policy would be to require companies to disclose any time their servers are hacked, whether private user data is stolen or not. That would go a long way towards tieing server security to a company's bottom line.

    Mandating specific guidelines is a bad idea because the government has no clue when it comes to good security and even if they did guidelines change over time.

    • by Stormthirst (66538) on Friday September 09, 2011 @02:24PM (#37355602)

      Perhaps even mandated compensation paid to the person whose data was lost, depending on what was lost. If it were 'merely' your name and address then that's $5,000. If your telephone number too, then $7,500. If it includes your social security number, then $50,000. Biometrics? $100,000 etc etc etc. If the person concerned can prove that their identity was used in the commissioning of a crime - triple the compensation.

      See how quickly companies tighten their security.

  • by Kohath (38547) on Friday September 09, 2011 @02:29PM (#37355682)

    These types of government regulations always turn out like this:

    - Businesses are forced to use "certified" firms as contractors or auditors
    - "Certified" firms are politically-connected firms with Washington lobbyists on their payroll
    - Government agencies get created to police whatever is regulated in the law
    - "Certified" firms work with the agencies to make sure certification is exclusive so they can charge above-market rates (rent seeking)
    - Executives at "certified" firms contribute to Richard Blumenthal's re-election campaign.
    - Small startup firms are kept out
    - Innocent business operators are raided by regulating agencies, even though they never had a security breach.
    - Security breaches and private data compromises continue despite government regulation
    - There are fewer jobs for everyone handling private data, and there are fewer choices of services.
    - Everyone wonders why we have high unemployment and private data breaches.
    - People propose deregulating so we can have our freedom back.
    - Someone comes up with the private-data equivalent of "think of the children!!!!"

    - Time passes. Another hundred such regulatory regimes get added for every facet of life. Life steadily gets worse for everyone who isn't politically connected.

    • by geekoid (135745)

      Except history show that that seldom happens. When it does it doesn't last long before getting shot down.

      But hey, keep making up shit. I mean, otherwise you would have to actually read and learn, and that would interrupt you wankery.

  • Data will leak, period. You can work really, really hard to make sure it doesn't, but eventually it will leak.

    Increased security only makes it harder, not impossible, and when the data does leak, the companies will be immune from prosecution, since they did everything they were required to do.

    • by geekoid (135745)

      Are you implying they should be punished for something they will eventually happen even when they take good security measures?

      Your premise is faulty, but will ignore that part of it.

  • by Overzeetop (214511) on Friday September 09, 2011 @02:33PM (#37355756) Journal

    Put the corporate officers in jail - make the minimum sentence mandatory. It needn't be long. Hold people in power responsible and you'll see action.

    Business will make a value judgment based on the cost - $5,000,000 potential fine or $300,000 in IT changes means it happens. $5,000,000 fine or $3,000,000 in IT changes and all of a sudden it's not so clear cut. CEO and CIO guaranteed to get 6 months to 5 years in a federal pen for non-compliance and that IT change could cost $30,000,000 and it would be item number one on every single board meeting agenda until the transition is complete.

    • by Kohath (38547)

      So any low level employee with access to data can "accidentally" cause a security breach and get the executives put in prison. Justice!

    • What I think needs to happen is for fines to be based on a percent of income or assets rather than a fixed dollar amount. (I think some countries do this for speeding fines). Only then will it a proper disincentive for wealthy people, as opposed to just being a minor inconvenience as a "cost of doing business". In fact, make the percentage "progressive", like income tax, so the wealthier you are, the higher the percentage: fining a a poor person 50% of their assets would cause them hardship, whereas fini
      • by rlglende (70123)

        Even if it could work for any period of time, how will you get it passed? The lobbyists will outspend you 1000s to 1. The corporate media will shape their message. Campaign contributions will make sure lobbyists 'have access' to present their arguments.

        Money buys power. You can't outspend the rich guys, so this is fantasy.

  • by Kozz (7764) on Friday September 09, 2011 @02:37PM (#37355812)

    Unless the "stiff fines" cost the company even more than the implementation of storage guidelines, why would they bother? When laws against corporations hit only their pocketbooks (say the cost of a few weeks' worth of hookers and blow for the CEO), they frequently don't have any teeth.

    • In addition, They will need to hold companies accountable when their offshore data center gets breached.

      Without this I see all the giant US companies saying that they are not responsible because the outsourcing firm did not store your data properly. And sorry, but the outsourcing firm is not a US entity and not subject to US law.

    • Perhaps they should add "And the CIO will be ass-raped for the rest of his days..."

    • Good luck with getting that law passed. Haven't seen many like it lately getting passed, R or D in power. Same owners, I think.

      "Stiff fines" costing the company more than the xxx is the standard method for enforcing all of the laws, works OK for you and me, but not for the guys with real $. They make campaign donations, socialize with the various attorney-generals and judges and regulators. Or their attorneys and PR firms do. In any case, the company pays the fine and usually has the BOD in his pocket

  • Does this only apply to companies that you do business/interact with, or will this apply to all the companies that keep data about you, including your social security number, for sale to anyone? Are those data-mining companies affected at all?
  • What happens when the feds violate these rules? Nothing? That's what I figured.

    I'd much rather have my banking info stolen by Russian mobsters than by the NSA. One will, at most, clean out the account. The other rendition me to the middle of Africa because I bought the wrong kind of rug in the duty free shop while on layover in Istanbul.
  • that corporate interests will find some way to either defeat the proposed bill or change the punishment to a slap on the wrist. I'm guessing that someone hasn't paid this guy off recently and he's getting bitchy about it.
  • I think it would be better if we just made it so that lenders themselves are liable for any bank fraud that gets through due to insufficient identity verification.

    Identity theft doesn't exist. Instead banks are being robbed and they are making victims out of their customers.

    If a person notices that some bank let somebody else open up a line of credit in said person's name, said person just needs to say "I did not open this line of credit." It would then be up to the bank to prove otherwise. The bank should

  • The problem with legislation of this sort is that the fines imposed are ludicrously small compared to the revenue of the companies being fined.

    If I were fined for, say, exceeding the speed limit at the same ratio to my income as most fines imposed on companies, then the fine would be something like $0.05. Hardly a disincentive at all.

  • So let me get this straight: if the company fails to meet the guidelines, and the data leaks, consumers can sue. Can't they already? I fail to see how the consumer gains anything from this. And as others have pointed out, if a company does meet these proposed federal guidelines, and the data still leaks, it sounds like they'd be indemnified.

    All I see coming out of this is another costly, compliance-oriented set of regulations that place a burden on companies and at the same time deny citizens their right

    • Crikey this is exactly the opposite of how it should work. I don't give a rats ass what tech they use, and in fact specifying a tech makes your data less secure because once that is cracked somebody will put together a kit i.e. US Data Security Law CR14-23 Canopener.

      What is needed is very simple. Corporate Officers must sign a document "we didn't have any leaks last year". If they don't sign or it turns out to be a lie, 5 years in Federal Prison + reimbursement of damages paid out by court assigned special

  • Is this going to turn out to be like the data retention laws, which managed to metamorphose into rules mandating destruction of data?

  • by MickyTheIdiot (1032226) on Friday September 09, 2011 @04:13PM (#37357136) Homepage Journal

    As we see in this thread, we have an idea that corporate anarchy will solve anything.

    I bet we're going to have a data event at some point that is going to equal 9/11 in importance before anything gets done, and then it will be some kneejerk reaction like the Patriot Act. We're totally screwed up in this country and at some point someone is going to decide that it's time for creative destruction... and that's scary.

  • Already in Europe (Score:4, Informative)

    by paugq (443696) <pgquiles AT elpauer DOT org> on Friday September 09, 2011 @04:31PM (#37357342) Homepage

    This kind of legislation has been in place in Europe for at least 20 years now.

    I don't know the specifics of the proposed US law but in Europe:

    • It has not promoted outsourcing, off-shoring, or anything like that. The law here is very picky on that: if you want to collect data from your customers, you take care of it, you cannot outsource that to some other company to avoid law.
    • In fact, you cannot sell, loan or transfer personal data to any third party without getting explicit acceptance from the individuals affected
    • In every company there is a person (physical person) responsible for each data "file" (i. e. a database with personal data). The company is only accountable for money but that guy is accountable for criminal offenses.
    • Fines are pretty hefty. In my country, from 600 EUR (a very very very dumb issue, like publishing your name + ID card number in a report card) to 600,000 EUR (for some serious trespassing, like selling data to a third party).
    • As a consequence, companies are careful and even the smallest ones they take some minimum security measures.
  • FYI, Mexico passed the "LEY FEDERAL DE PROTECCIÓN DE DATOS PERSONALES EN POSESIÓN DE LOS PARTICULARES" or "federal law for the protection of personal data in the hands of third parties " (official decree page in Spanish: http://dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010 [dof.gob.mx]), which is scheduled to go in effect on Jan/2012. This law is equivalent to the US legislation and was probably a mandatory development in line with NAFTA and other international agreements.

    BTW, this has proven

Unix is the worst operating system; except for all others. -- Berry Kercheval

Working...