Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Security Crime Democrats Privacy United States Politics

Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com) 162

New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

This discussion has been archived. No new comments can be posted.

Democrat Senators Introduce National Data Breach Notification Law

Comments Filter:
  • market forces (Score:5, Interesting)

    by supernova87a ( 532540 ) <kepler1@NoSpaM.hotmail.com> on Thursday November 30, 2017 @10:35PM (#55655671)
    I have always said that for something like this, actually yes we should take a market approach, which Republicans should love.

    As in, let the penalty market for breaches of data be:
    $1 per name
    $2 per address
    $3 per phone number
    $10 per SSN
    And multiply those figures for combinations thereof.

    Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.
    • Re:market forces (Score:5, Insightful)

      by h8sg8s ( 559966 ) on Thursday November 30, 2017 @10:57PM (#55655755)

      Excellent idea. Companies should also directly bear the cost of damage and repairing credit.

    • by gumbi west ( 610122 ) on Thursday November 30, 2017 @11:23PM (#55655831) Journal

      Yikes, a phone book would cost millions!

      • Re:market forces (Score:4, Interesting)

        by thegarbz ( 1787294 ) on Friday December 01, 2017 @06:55AM (#55656835)

        Yikes, a phone book would cost millions!

        You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

        • Re: market forces (Score:4, Interesting)

          by bsDaemon ( 87307 ) on Friday December 01, 2017 @07:25AM (#55656901)

          Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

          But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

          • Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.

            But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.

            I had to chuckle at the last part, because you are right about the bad risk assessment - where many people have no problem getting jiggy with their shemale midget scat porn, all logged somewhere, but are too fearful to post their home number on their house or mailbox, because "privacy very important to me, and you never know when someone is going to randomly decide to kill everyone in our town with a 345 in their address!" Anyhow, if our addresses need to be a state secret, we're living in the wrong place

        • Yikes, a phone book would cost millions!

          You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

          Yup, As a Ham, I have my name, address license level and other information on me on many publicly accessible databases. It's been that way since radio Amateurs existed.

          But today, we are starting to see a few idiots demanding the have their identity kept as a secret. They are told to get a different hobby/avocation. Might as well demand to not have license plates on their cars. Whackers.

        • About the time of robo-dialing.

        • Re:market forces (Score:5, Insightful)

          by Solandri ( 704621 ) on Friday December 01, 2017 @10:00AM (#55657457)
          By themselves these pieces of information are quite harmless (though you had the option of paying the phone company for an unlisted number). Even a few of them together (name, address, phone number) is fairly innocuous.

          What's changed is the ability to cross-reference massive amounts of data to build up a profile of each person. Name, address, phone number, age, gender, marital status, job, income, education, SSN, what kind of car you drive, what type of phone you have (and have had since 2005), how many credit cards you have, size of mortgage on your house, what games you like to play, what movies you like, shoe size, pics from your vacation this past summer, that you're expecting a 2nd child in 3 months, computer you use, the last 1000 websites you've visited, that you still wear superhero underwear, your furry fetish, etc. Suddenly this is no longer about an anonymous name in a phone book; your entire personal life and details are laid bare.

          If the only data companies could collect were name, address, and phone number, I don't think people would be making a big deal about this (or said information being lost in a hack). But add in all that other stuff (some of which nobody should be allowed to collect in the first place) and you have a big problem. People are willing to give up some or most of this info for security (purportedly in the fight against terrorism), but not for Marketing uber alles. And they're especially pissed when a company collecting it for marketing purposes loses it.
        • by Mitreya ( 579078 )

          At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.

          1) I remember that I tried to not list my apartment phone number when I got an apartment in late nineties. It turned out that local phone company required $4/month (I think) to keep it off Yellow pages.

          2) Also, since the autodialers are a thing (not to mention Fax autodialiers, that can annoy you for years!).

          3) And then there is the "Terminator" risk (what if I have the same name as someone being assassinated from the future?)

        • Perhaps when robocallers became a thing, and mass mailing became so inexpensive that stuffing people's mailboxes full of paper spam became commonplace. Technology allowed such public index to be readily exploited, and greed saw to it that it was.

          Even with an unlisted number, I still have to set my phone to not ring unless the caller is already in my list of contacts. I'm sure it won't be long though till even those numbers are spoofed, since so much of our personal data is bartered and traded.

    • by shayd2 ( 1689926 )
      I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."

      Does this mean the CEO? CIO? or Uber (the whole corporation)

      We need more prison space

      • by Anonymous Coward

        Everyone. The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there ar

        • Welcome to IniTech. You're best bet is to kick someone's ass or become someone's bitch on the first day.

        • "The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there are no funds av

        • Do NOT give them ideas.

          Management just heard: "I get to keep everyone on premises (and working) 24x7? Where do I sign up?"

      • by tsqr ( 808554 )

        I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."

        Does this mean the CEO? CIO? or Uber (the whole corporation)

        We need more prison space

        Well, you could actually read the bill -- there's a link right in TFS. But you won't, so here's the relevant snippet from section 1041: Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or mor

        • "and of the fact that notification of the security breach is required"

          Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...

          • by tsqr ( 808554 )

            "and of the fact that notification of the security breach is required"

            Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...

            So, you didn't read the bill. Every "covered entity that owns or possesses data containing personal information, or contracts to have any third-party entity maintain or process such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information".

            One of the required policies and procedures is "The identification of an officer or other individual as the point of contact with responsibility for t

        • After watching Trump administration officials repeatedly claim collective amnesia of important meetings and events of public record, I'd like to see it strengthened so that the penalty can be applied if to CEO, CIO etc. regardless of whether or not there is any evidence that they were actually told. It's too easy to erect barriers to communication that ensure deniability in the event of a scandal. However, if they are accountable regardless then they will be incentivized to ensure communication of data brea
    • In order for your multiplication scheme to work, the name would have to be worth more than $1.

      In fact, the information is normally not that useful without the name. So I'd make the name worth $5 at least.
      • There's also some addition going on there, you know.

        Anyhow... the value of the name is sort of an interesting topic, because it's highly contextual. For instance, my name is listed publicly on LinkedIn, along with my job skills, work history, and professional achievements. Obviously, you can't blame LinkedIn for "leaking" this information.

        On the other hand, say I were HIV positive and on a treatment list, or a member of Alcoholics Anonymous, or something similarly personal in nature. The release of just

    • by Anonymous Coward

      Oh, as if Republicans aren't interested in a federal law covering data security and breaches:
      https://www.congress.gov/bill/112th-congress/senate-bill/3333/text

      S.3333 - Data Security and Breach Notification Act of 2012
      112th Congress (2011-2012)
      Sponsor: Sen. Toomey, Pat [R-PA] (Introduced 06/21/2012)
      Committees: Senate - Commerce, Science, and Transportation
      Latest Action: Senate - 06/21/2012 Read twice and referred to the Committee on Commerce, Science, and Transportation. (All Actions)
      Cosponsors:
      Sen

    • The very fact that it would require a government, or (government sanctioned/appointed) agency to assess and enforce such penalties means it is not a "market approach."

      But that doesn't mean I disagree; if anything the fines should be at least 100x higher, maybe even 1000x since there's an almost certainty that penalties will settle for pennies on the dollar anyway.
      =Smidge=

    • Comment removed based on user account deletion
      • What would be awesome would be an ID card, whose only task in life is to be storage for keys. Of course, there would have to be protection for the person's secret key, and the ability to get a new key should something be compromised, but with HSM technology the size of a YubiKey, the biggest issue will be a key getting rendered inaccessible or lost.

        If we went with a key based system, it would also mean added privacy. A country can issue a certificate stating someone is over 21, and the card/token holder o

    • Isn't a market force. A market force is when you don't buy from somebody because of their poor security. You're not going to get anywhere convincing the other side with that argument. Somehow we've got to convince them there are some things the market alone can't do. In my experience it's a religion for a lot of people in that they take it on faith. The way I was taught the virtues of the market in grade school certainly made it seem so. No discussion of competing solutions just a blanket statement of 'this
    • What is the penalty for the 2014-2015 OPM data breach https://en.wikipedia.org/wiki/... [wikipedia.org] and who gets that money?

      21.5 million records lost . Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses.

      • Nothing. The government is immune to its own laws.

        https://en.wikipedia.org/wiki/Sovereign_immunity

        Sovereign immunity, or crown immunity, is a legal doctrine by which the sovereign or state cannot commit a legal wrong and is immune from civil suit or criminal prosecution.

        • Specifically to the US Federal Govt:

          Federal sovereign immunity In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit. The United States has waived sovereign immunity to a limited extent, mainly through the Federal Tort Claims Act, which waives the immunity if a tortious act of a federal employee causes damage, and the Tucker Act, which waives the immunity over claims arising out of contracts to which the federal government is a party.[45] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued.[46] The United States Supreme Court in Price v. United States observed: "It is an axiom of our jurisprudence. The government is not liable to suit unless it consents thereto, and its liability in suit cannot be extended beyond the plain language of the statute authorizing it." Price v. United States, 174 U.S. 373, 375-76 (1899).

    • Wow, then whitepages.com owes a lot of money for having millions of entries for those first 3...
    • Which is somewhat like something I dreamed about doing, until reality interfered: a supplement to the contract provided by those I deal with. Don't sign? I don't use your credit card or rental car or ISP services or whatever. (That's the point where reality intruded. They'd never go for it.)

      Terms:

      • You will take reasonable steps to safeguard data about me, my use of your product(s) and/or service(s), and all other information you gather related to me in the course of our relationship.
      • You protect it f
  • The federal agency responsible for enforcing these laws is the CFPB, which is getting shut down.
  • typo in the title (Score:4, Informative)

    by Anonymous Coward on Thursday November 30, 2017 @10:40PM (#55655701)

    Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

    • Comment removed based on user account deletion
    • Re: (Score:1, Informative)

      by omnichad ( 1198475 )

      And they're not college students, they're collegiate students.

      No. You sometimes use nouns as adjectives. [wikipedia.org] Democratic does not (always or typically) mean member of the Democratic Party.

    • They enjoy how it sounds like "rat."

      Actually, in this case I suspect submitter used "Democrat" to make the subject line fit within slashdot's arbitrary length limit.

    • But as you said, "Democratic" is an adjective. Names, be they of people or groups, are proper nouns, no? Using the adjective means you are describing something about the nature of the subject, and in this case it would be redundant and ambiguous as all Senators are representatives in a democratic political system, also known as a Democracy.
    • Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."

      Since both parties appropriated actual words and concepts for their titles, I'm not inclined to care much about this.

      Republican senators are no less "democratic" than Democrat senators. Nor are they any less democrats, really, but the naming here prevents any perfect solution.

    • That's not true at all. Just because there is AN adjective "democratic" does NOT mean you can just take a proper noun and use an adjective for an improper noun to describe it. If I work for a company called "Rainbow", you would say "Rainbow employees does X", not "Prismatic employees do x". A proper noun is a proper noun period.
  • by RickRussellTX ( 755670 ) on Thursday November 30, 2017 @10:48PM (#55655721)

    The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.

    I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.

    • by Anonymous Coward

      Yeah, the following is particularly incomprehensible:
      "... imposing a five year prison sentence on organizations caught concealing data breaches."

      Organizations in the US are not subject to conviction and sentencing to prison. They get to continue living outside prison walls, to hold their meetings, to plot their little evils, to continue to exist. There are no prisons here, no Death Penalties here.
      Criminal Enterprises like Enron and Equifax don't do Perp Walks. Oh, somebody may be chosen to do something symb

    • Moreover, it is clearly too little, too late. After Equifax, the cat is out of the bag. Emphasis at this point needs to be shielding consumers from the costs and inconvenience of identity theft.

    • I agree the imprisonment clause of the law would ultimately be construed to mean prison sentences for individuals, but I think it's an open question which individuals that would turn out to be in a corporate setting.

      Section 1041(a) says:

      (a) IN GENERAL.—Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both.

      So far so good, but then Section 1041(b) explicitly defines what constitutes a "person" subject to the above punishment: ‘

      (b) PERSON DEFINED.—For purposes of subsection (a), the term ‘person’ has the same meaning as in section 1030(e)(12) of this title.

      That's referring to already-existing 18 U.S.C. 1030(e)(12), which says:

      the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity."

      So if one or more people in a corporation know of a breach, know the corpor

    • And we all know how that will work. We'll establish breach@ourcompany.com as the official place to notify the people who need to know. All employees should email any breach information there. Brian is responsible for monitoring that email address. Now we lay off or reassign Brian.

      Someone keeps an eye on it semi-regularly. In a meeting CIO is told about the breach, says, "Did you email our breach contact?" Yes? I'm off to play golf.

  • by Anonymous Coward

    You know no MBA will ever serve one of those, but some poor code monkey who the MBA didn't listen to when he recommended tighter security probably will!

    Democrats pretending to not be the political wing of Goldman Sachs is just a joke. Fuck the Republicans too, but at least they're open about serving the interests of fossil fuel.

    • by dcw3 ( 649211 )

      You do realize that MBAs are a dime a dozen. My wife has two of them, and my 26 yr old kid was just accepted into an MBA program. More likely you meant C-Levels.

      It's highly doubtful that any "code monkey" (like my former self) will ever do time for any law like this. That usually flys internally when a company wants to lay blame, but any prosecutor isn't going to bite on that.

  • by RhettLivingston ( 544140 ) on Thursday November 30, 2017 @10:58PM (#55655759) Journal

    Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.

    I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.

    In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.

    • by SteveSgt ( 3465 )

      I've always argued that all fines for any offense should not be fixed monetary amounts, but rather defined as some number of hours or days of the convict's income, depending on the severity of the crime, and calculated accordingly. Let that same rule and calculation apply to corporations as well.

      Perhaps a speeding ticket would cost a day's pay: $80 for some people, $80,000 for others. Big corporate misdeeds could require forfeiture of weeks or months of a company's income.

      • by Eldaar ( 5056619 )
        I like this idea because the whole point of having to pay a fine is to discourage the bad behavior. If a wealthy person has to pay a tiny fine, that does very little to discourage the bad behavior.

        As you say, fines should be proportional, not fixed.
    • but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million.

      That's $5 million per case, the way I see it. I good DA could make every single person who's data has been stolen an individual case.

    • by Anonymous Coward

      Many times this.

      Setting a fixed price makes it a fixed-price-liability. Actual damages might differ wildly from these numbers.
      I'm all for fining companies that screw up their security and do not come clean about it. But damage that has to be recompensed due to a leak should be calculated from actual (or approximated) damages on a case-by-case basis.

      I prefer the dutch (and mostly european) approach more.
      After a breach:
      - Local (national) privacy authority investigates company
      - Privacy authority fines company

    • by Anonymous Coward

      You'd have to hit a company like Apple with $1 billion to even get noticed.

      Agree with parent. The wording of the bill says "intentionally and willfully conceals the fact of the breach of security". A good attorney will be able to argue it was not intentional nor willful in many cases - such as Equifax. Never attribute to malice what can be attributed to incompetence as the old saying goes.

      What we need in the US is something similar to what Europe is doing. GDPR regulations make it as high as "up to 4% of the annual worldwide turnover of the preceding financial year". That

      • Totally agree. The GDPR appears to be much more consumer oriented. This one has all the right words as to what to penalize, but that is just because it needs to make sure that it is overriding all of the right state's laws. The purpose of this bill appears to be to override the state's rights to determine their own penalties and replace that with a maximum that is lower than some of them might impose.

        Ironically considering that it came from Democrats, I have similar issues with the way this affects the stat

  • Well.....the Democrats and their Hollywood bros seem to be breaching them often enough without a new law.

  • Are politicians and political organizations excluded from the requirement?
    • Agreed. There have been cases where it was revealed that government data was hacked, but did not notify victims of the breach.
  • As long as law enforcement was contacted any new protections will just go away as cyber investigative secrecy covers the data breaches.
    Federal protection if code litter can be found with parts of any foreign language.
    Welcome that national security letter and the full protection it offers.
  • I couldn't get the text of the law to load. Does the CEO go to prison? Does the head of IT go? I think this part of the law would be hard to write and implement. I agree with another poster that fines need to be high enough to be noticed by larger corporations.
  • by dcw3 ( 649211 )

    "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal."

    I'm sorry, but which special interests exactly are opposed to this? Is there some sort of hacker union lobbying against it?

  • by MoarSauce123 ( 3641185 ) on Friday December 01, 2017 @07:25AM (#55656905)
    Pass a bill that mandates that all companies and organizations storing personal data have to employ the strictest and most modern security measures. The measures have to be reviewed by an independent third party at least annually. If lack of doing this leads to a data breach the entire operations will be closed down holding management staff personally liable. Yes, I mean have he CIO put his weekend mansion on the market and sell his yacht to cover the damages caused. Things will only change when those in charge have to lose something.
    • by dcw3 ( 649211 )

      That all sounds fine, and I agree that it generally would be double plus good, but the implementation would be hellish...

      Define "strictest"
      Who gets to decide what are the "most modern security measures"?
      When do they become obsolete?
      How long do they have to transition when to a new measure before getting in trouble?
      Who certifies the "independent third party", and how much is an annual review gonna cost my small mom & pop business?

  • "Democrat" Senators? (Score:2, Informative)

    by sphealey ( 2855 )

    "Democrat Senators"? So the Slashdot headline writers are now following the lead of Jesse Helms and Rush Limbaugh in attempting to change proper naming conventions to serve their own political ends?

    • Re: (Score:3, Interesting)

      by sabbede ( 2678435 )
      Well, since "Democratic" is an adjective, "proper" naming convention would preclude its use as a noun. Democrat and Democracy are nouns, words that identify objects. Democratic describes such objects, but doesn't specify or identify. The Senate is a democratic body, so the adjective describes it and all its members, be they Democrats or Republicans. Note that we do not say "Democratics and Republicans".
      • Grammar fail. In the phrase "Democratic Senator", "Senator" is a noun and "Democratic" is an adjective describing that noun. In the phrase "be they Democrats or Republicans", "Democrats" and "Republicans" are nouns, not adjectives. This can more easily be seen if you use the analogous phrase "whether they are Democrats or Republicans", in which case "They" is the subject (inherently a noun) and "Democrats or Republicans" is the object (also inherently a noun).
        • That's... exactly what I said. "Democrat Senators" refers to specific members of the Senate that are also Democrats. "Democratic Senators" refers to members of the Senate that are democratic, which is terribly ambiguous considering that the Senate is a democratic body at the heart of a democratic system of government.
          • What I said is not what you said. The word before "Senators" is an adjective, not a noun. That means the proper word to use is the adjective form of "Democrat", which is "Democratic", not "Democrat". And "Democratic" is not the same thing as "democratic". The former refers to things having to do with the Democratic party, whereas the latter refers to things having to do with democracy in its various forms. The phrase "Democratic Senators" is not ambiguous in the least. You'd have to be either willfull
    • Re: (Score:2, Informative)

      by JackieBrown ( 987087 )

      Yes! This is what is important! You hit the nail on the head.

      Are you fucking kidding me?

      Besides people like you, no one sees the term Democrat as any more insulting than the word Democratic. The words are interchangeable to non-partisian people.

      • by sphealey ( 2855 )

        Which is why the hard Radical Right spends so much time trying to forceably change the proper name of their opponent: because it is meaningless. Got it.

  • So, let me see if I have this straight...

    "We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,"

    ....and....

    If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.

    Yeah, I'm sure no organizations will abuse that gray area at all.

  • DemocratIC Senators Introduce...

    There is no such thing as the "Democrat" party. It's the "Democratic" party. Using "Democrat party" is just a way for Republic politicians to irritate Democrats.

  • So, riddle me this. Doesn't this allow very amateur hackers to cause major industry upsets? I can walk into just about any office building, and grab some random private information by looking over a secretary's shoulder. I then tell the company (anonymously, sure) that I stole one customer's information. The company then needs to announce to the world that they've been breached.

    So little old me, with a few minutes per day, can cause a big corporate to announce a breach of 1 customer every single day.

    Soun

  • If this goes into law... what if they don't discover the breach until someone tries to sell the database they lifted? This is perfect for criminals. Now, wait 31 days before selling the database. Then, in order to avoid jailtime, the companies are FORCED to spend funds to cover up the fact that they were breached and NOT notify customers. Bravo.
  • The bill would impose a five year prison sentence on "organizations". Just how do Democrats expect to incarcerate a corporation?

You are always doing something marginal when the boss drops by your desk.

Working...