CA Senator Pushing For Tightened Data Breach Notification 29
California State Senator Joe Simitian has introduced new legislation designed to tighten data breach notification requirements, forcing businesses to provide more information about any data that has been leaked in addition to notifying state authorities. What was not included in the legislation was imposed compensation requirements for data breach victims, and according to Simitian are not likely to be for quite some time. "Instead, the next focus of legislation, he said, would likely be on who should bear the cost of sending out notifications to consumers. For example, should a credit card processing company that experiences a breach be responsible for the cost of notifying bank customers? When retailer TJX discovered in 2006 that hackers had accessed credit and debit card numbers passing through its network, banks were left notifying the customers, then had to sue TJX to get compensation for those costs. Heartland Payment Systems, which experienced a breach of credit and debit card numbers in January, has recently been sued by banks to recover their breach notification costs."
A good start (Score:3)
Finally, some good legislation coming from a California politician!
Notification is useless (Score:2, Insightful)
What's the point of notifying the public that their data has been lost, when they can't do anything about it? At the very least, they should be able to sue in a class action. Ideally, there should be some government organisation that tracks down the identity/resource thieves, figures out what damage was done without the owner's knowledge, returns things to rights, then bills the company that leaked it for all the trouble caused. If the upshot is that people just get a letter saying they're screwed, then
Re:Notification is useless (Score:5, Insightful)
Well for one, it means that the company responsible for the data breach is legally barred from initiating a cover-up that a breach ever happened. At least one instance of this has been reported on ./
Second, if more information is made public, then they will have the ability to make a class action suit.
Re: (Score:1)
Notification is toothless, but not useless (Score:4, Insightful)
Having received one such notification, it prompted me to keep a closer eye on my credit report and weigh the option of freezing my credit report [consumerist.com], thus making it harder for anyone to use my personally identifying info to borrow money under my name.
In my case, a previous employer who was breached explained the circumstances (something they never would have done without the law), and offered to pay for credit monitoring (not required AFAIK). A very responsible approach to their mistake.
A friend who was hit by the Univ. of CA breach was notified because of the law, but not offered monitoring.
These notifications were useful to the affected individuals, even if their expense alone may not in itself have been enough to motivate better security procedures at the breached organizations.
And obviously, if it happens again soon at either organization, people will raise hell.
Its a start.
Re: (Score:1)
Re: (Score:2)
Who is this "Chilling" of whom you speak?
Re: (Score:2)
You know who else pushed for tightened data breach notification? Chilling.
Please. Do enlighten us, Mr. Troll Person...
Leaker pays, surely. (Score:5, Insightful)
It's fairly obvious that the cost of informing customers - and other related costs - should be borne by the organisation who failed in their duty to ensure the integrity and confidentiality of the data. After all, until we are at a point where it is cheaper to take the measures to keep the data safe than to be delinquent, companies are incentivised to be delinquent.
Re: (Score:3, Insightful)
Right, except that all the extra cost from the burden will still be passed on to customers.
Which is exactly how it should be. (Score:2)
Right, except that all the extra cost from the burden will still be passed on to customers.
Which is exactly how it should be. Customers will then switch to the more secure service providers because they are cheaper.
This is even true if the "customers" are other corporations, such as banks.
Making the responsible party bear the cost of their mistakes is an incentive to make fewer mistakes.
I'd be happier to see tighter tech requirements (Score:4, Insightful)
I'm going to try to avoid the "Microsoft Blame Game" as frankly that gets us nowhere. But I will say that there are some older technologies that work better for transaction processing and storage than some newer, more contemporary systems.
And frankly, even though some processing and transaction systems are very convenient for both processors and consumers, I think it just might be time to rein in many of these conveniences as implementation of any sort is simply too risky.
All these reporting requirements are intended to add pressure to companies to take their systems security more seriously, but frankly, they will never listen until you tell them EXACTLY what is expected of them. Businesses are in the habit of managing risk that they feel is acceptable, but the problem is, they don't mind risking other people's data or their lives or anything else if it's not theirs directly.
When people handle food, the government steps in with inspectors and laws and all sorts of things to help better ensure that your burger will not kill you. This has proven to work pretty well even though it has not stopped violators entirely. The same should be required of people handling sensitive financial and other personal information.
Re: (Score:2)
The problem is that most voters are too stupid to understand what you're talking about, whereas food is another story entirely. Also there's lobbyists, as usual.
I'd like to see a data purge law (Score:4, Insightful)
A recent personal example makes my point; I am a bit disturbed that both the University I graduated from decades ago, and the guy a bought a car from 3 years ago, both send me birthday cards... I don't find it a nice gesture, I find it just wrong that they have retained my personal ID info for their marketing purposes. Therefore I will stop donating to the university and I will not buy a car from that dealership again. (It's not like I signed up for the "birthday club" or anything. Obviously they have "mined" my data collected for other purposes.)
Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.
Re: (Score:2)
Seems like a better law would be that personal information be purged from the records of any place that has no legitimate reason to retain them.
The lawyers will have a field day with the definition of "legitimate reason." The law needs to be more specific, something like if I tell you to drop my data you do it. I know it takes some customer action, but it's a hell of a lot better than we have now.
Re: (Score:3, Informative)
As a programmer, I should know that. If there is anything more pedantic than a stupid compiler, it's a fuckin lawer. Those guys must be idiots or assholes (Note the ambiguity of "fuckin" versus "stupid". It all depends on whether you've hired one to attack you or defend you - "fuckin" can be a good thing or bad.)
Re: (Score:2)
Currently, whoever collects data about you owns that data. We have no real rights about how that information is used, which is why most of it is sold for marketing purposes. There are some rules, like companies aren't supposed to store your credit card details without your permission, but many of them do because it's cheap to store and the information may be useful in the future.
The difficulty comes in defining what information is legitimate and why. For example, if I place an order online, they need my
Re: (Score:2)
Re: (Score:1)
I also find it disturbing that anytime I express my willingness to buy something more expensive, there is no way to move forward without providing my address, and a telephone number.
The sellers do not even want to talk without this information. Later I get a few "happy" calls per day with offers of some kind. It is pretty annoying, and tak
Re: (Score:2)
If you value your privacy, you have to take measures to protect it. You can get a private mailbox for everything that wants an address and a phone that you give out freely, but don't bother answering unless you are expecting something.
Basically, you draw a clear distinction between your real life and your consumer persona. So you end up with a mailbox full of crap? If you know what you're looking for, you just throw away the rest. Same goes with answering machines on your line you give out to everyone -
Do we need more point solution laws? (Score:1)
How about holding the companies accountable? (Score:1)