Democrat Senators Introduce National Data Breach Notification Law (cyberscoop.com) 162
New submitter unarmed8 shares a report from CyberScoop: Three Democratic senators introduced legislation on Thursday requiring companies to notify customers of data breaches within thirty days of their discovery and imposing a five year prison sentence on organizations caught concealing data breaches. The new bill, called the Data Security and Breach Notification Act, was introduced in the wake of reports that Uber paid $100,000 to cover up a 2016 data breach that affected 57 million users. The scope of what kind of data breach falls under this is limited. For instance, if only a last name, address or phone number is breached, the law would not apply. If an organization "reasonably concludes that there is no reasonable risk of identity theft, fraud, or other unlawful conduct," the incident is considered exempt from the legislation.
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Sen. Bill Nelson, D-Fla., said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."
market forces (Score:5, Interesting)
As in, let the penalty market for breaches of data be:
$1 per name
$2 per address
$3 per phone number
$10 per SSN
And multiply those figures for combinations thereof.
Let companies choose to store and protect people's personal information with these potential penalties. The market will sort itself out pretty quickly.
Re:market forces (Score:5, Insightful)
Excellent idea. Companies should also directly bear the cost of damage and repairing credit.
Re: (Score:1)
Re: (Score:1)
unless it has to do with recreational drugs.
you know, "Just in case"
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
You are a very good parrot. Now trying looking at who these companies' CEOs are actually donating to.
Re:market forces (Score:5, Funny)
Yikes, a phone book would cost millions!
Re:market forces (Score:4, Interesting)
Yikes, a phone book would cost millions!
You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.
Re: market forces (Score:4, Interesting)
Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.
But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.
Re: (Score:2)
Around 1999-2002... in this post-columbine, post-9/11 world of fear weâ(TM)ve found ourselves in.
But also, as society has grown and the avenues for impersonating strangers have multiplied as more and more people move around a lot rather than live in the same area for generations, there is more to worrt about. And people are bad at estimating risk and blow things out of proportion as it suits them.
I had to chuckle at the last part, because you are right about the bad risk assessment - where many people have no problem getting jiggy with their shemale midget scat porn, all logged somewhere, but are too fearful to post their home number on their house or mailbox, because "privacy very important to me, and you never know when someone is going to randomly decide to kill everyone in our town with a 345 in their address!" Anyhow, if our addresses need to be a state secret, we're living in the wrong place
Re: (Score:3)
Yikes, a phone book would cost millions!
You have been modded funny, but it's actually quite interesting. At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.
Yup, As a Ham, I have my name, address license level and other information on me on many publicly accessible databases. It's been that way since radio Amateurs existed.
But today, we are starting to see a few idiots demanding the have their identity kept as a secret. They are told to get a different hobby/avocation. Might as well demand to not have license plates on their cars. Whackers.
Re: (Score:2)
Same here.
I've actually wanted to post my call sign on sites like /. at various times through the years, but declined to do so because it's a single lookup on fcc.gov to find my personal details.
Yeah, me too. Don't want to offend the politically correct on both sides, so I don't post it.
Re: (Score:2)
About the time of robo-dialing.
Re:market forces (Score:5, Insightful)
What's changed is the ability to cross-reference massive amounts of data to build up a profile of each person. Name, address, phone number, age, gender, marital status, job, income, education, SSN, what kind of car you drive, what type of phone you have (and have had since 2005), how many credit cards you have, size of mortgage on your house, what games you like to play, what movies you like, shoe size, pics from your vacation this past summer, that you're expecting a 2nd child in 3 months, computer you use, the last 1000 websites you've visited, that you still wear superhero underwear, your furry fetish, etc. Suddenly this is no longer about an anonymous name in a phone book; your entire personal life and details are laid bare.
If the only data companies could collect were name, address, and phone number, I don't think people would be making a big deal about this (or said information being lost in a hack). But add in all that other stuff (some of which nobody should be allowed to collect in the first place) and you have a big problem. People are willing to give up some or most of this info for security (purportedly in the fight against terrorism), but not for Marketing uber alles. And they're especially pissed when a company collecting it for marketing purposes loses it.
Re: (Score:2)
At what point did we freak out about someone knowing our name, address and phone number? This used to be a public record.
1) I remember that I tried to not list my apartment phone number when I got an apartment in late nineties. It turned out that local phone company required $4/month (I think) to keep it off Yellow pages.
2) Also, since the autodialers are a thing (not to mention Fax autodialiers, that can annoy you for years!).
3) And then there is the "Terminator" risk (what if I have the same name as someone being assassinated from the future?)
Re: (Score:2)
Perhaps when robocallers became a thing, and mass mailing became so inexpensive that stuffing people's mailboxes full of paper spam became commonplace. Technology allowed such public index to be readily exploited, and greed saw to it that it was.
Even with an unlisted number, I still have to set my phone to not ring unless the caller is already in my list of contacts. I'm sure it won't be long though till even those numbers are spoofed, since so much of our personal data is bartered and traded.
Re: (Score:1)
Does this mean the CEO? CIO? or Uber (the whole corporation)
We need more prison space
Re: (Score:1)
Everyone. The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there ar
Re: (Score:1)
Welcome to IniTech. You're best bet is to kick someone's ass or become someone's bitch on the first day.
Re: (Score:2)
"The whole corporation is to be turned into a jail. Armed guards at every company property, no departures will be permitted for any reason. Total surveillance of every vehicle if the company is involved in transportation or off-site services. No managers, bosses, board members, stockholders, contractors, customers, or employees will be permitted either to leave for other jobs or to quit or retire, but will be required to continue until the period of corporate imprisonment ends, even if there are no funds av
Please...PLEASE (Score:1)
Management just heard: "I get to keep everyone on premises (and working) 24x7? Where do I sign up?"
Re: (Score:3)
I am more interested in "Imposing a five year prison sentence on organizations caught concealing data breaches."
Does this mean the CEO? CIO? or Uber (the whole corporation)
We need more prison space
Well, you could actually read the bill -- there's a link right in TFS. But you won't, so here's the relevant snippet from section 1041: Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or mor
Re: (Score:2)
"and of the fact that notification of the security breach is required"
Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...
Re: (Score:2)
"and of the fact that notification of the security breach is required"
Good thing they worked "If you didn't know this was a law, it doesn't apply to you" into the law itself. Nobody would EVER lie about that to get off of a 5 year prison stint...
So, you didn't read the bill. Every "covered entity that owns or possesses data containing personal information, or contracts to have any third-party entity maintain or process such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information".
One of the required policies and procedures is "The identification of an officer or other individual as the point of contact with responsibility for t
Re: (Score:2)
Re: (Score:3)
Even under HIPAA, those aren't considered PHI
That's because it's not HI (Protected Health Information). It doesn't mean it shouldn't be protected - just that it's not covered by a law specifically about Helath Information
Re: (Score:1)
Really? The people caught out in the Ashley Madison breach may disagree with this. Anything that makes the individual identifiable carries with it certain risks, and to this extent must be protected.
Re: (Score:2)
In fact, the information is normally not that useful without the name. So I'd make the name worth $5 at least.
Re: (Score:2)
There's also some addition going on there, you know.
Anyhow... the value of the name is sort of an interesting topic, because it's highly contextual. For instance, my name is listed publicly on LinkedIn, along with my job skills, work history, and professional achievements. Obviously, you can't blame LinkedIn for "leaking" this information.
On the other hand, say I were HIV positive and on a treatment list, or a member of Alcoholics Anonymous, or something similarly personal in nature. The release of just
Re: (Score:1)
Oh, as if Republicans aren't interested in a federal law covering data security and breaches:
https://www.congress.gov/bill/112th-congress/senate-bill/3333/text
S.3333 - Data Security and Breach Notification Act of 2012
112th Congress (2011-2012)
Sponsor: Sen. Toomey, Pat [R-PA] (Introduced 06/21/2012)
Committees: Senate - Commerce, Science, and Transportation
Latest Action: Senate - 06/21/2012 Read twice and referred to the Committee on Commerce, Science, and Transportation. (All Actions)
Cosponsors:
Sen
Re: (Score:3)
The very fact that it would require a government, or (government sanctioned/appointed) agency to assess and enforce such penalties means it is not a "market approach."
But that doesn't mean I disagree; if anything the fines should be at least 100x higher, maybe even 1000x since there's an almost certainty that penalties will settle for pennies on the dollar anyway.
=Smidge=
Re: (Score:2)
Re: (Score:2)
What would be awesome would be an ID card, whose only task in life is to be storage for keys. Of course, there would have to be protection for the person's secret key, and the ability to get a new key should something be compromised, but with HSM technology the size of a YubiKey, the biggest issue will be a key getting rendered inaccessible or lost.
If we went with a key based system, it would also mean added privacy. A country can issue a certificate stating someone is over 21, and the card/token holder o
The government levying fines (Score:2)
Re: (Score:2)
What is the penalty for the 2014-2015 OPM data breach https://en.wikipedia.org/wiki/... [wikipedia.org] and who gets that money?
21.5 million records lost . Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses.
Re: (Score:2)
Nothing. The government is immune to its own laws.
https://en.wikipedia.org/wiki/Sovereign_immunity
Sovereign immunity, or crown immunity, is a legal doctrine by which the sovereign or state cannot commit a legal wrong and is immune from civil suit or criminal prosecution.
Re: (Score:2)
Specifically to the US Federal Govt:
Federal sovereign immunity In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit. The United States has waived sovereign immunity to a limited extent, mainly through the Federal Tort Claims Act, which waives the immunity if a tortious act of a federal employee causes damage, and the Tucker Act, which waives the immunity over claims arising out of contracts to which the federal government is a party.[45] The United States as a sovereign is immune from suit unless it unequivocally consents to being sued.[46] The United States Supreme Court in Price v. United States observed: "It is an axiom of our jurisprudence. The government is not liable to suit unless it consents thereto, and its liability in suit cannot be extended beyond the plain language of the statute authorizing it." Price v. United States, 174 U.S. 373, 375-76 (1899).
Re: (Score:3)
Re: (Score:1)
Which is somewhat like something I dreamed about doing, until reality interfered: a supplement to the contract provided by those I deal with. Don't sign? I don't use your credit card or rental car or ISP services or whatever. (That's the point where reality intruded. They'd never go for it.)
Terms:
Who do they think is going to enforce these laws? (Score:1, Troll)
typo in the title (Score:4, Informative)
Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."
Re: (Score:1)
Re: (Score:1, Informative)
And they're not college students, they're collegiate students.
No. You sometimes use nouns as adjectives. [wikipedia.org] Democratic does not (always or typically) mean member of the Democratic Party.
Re: (Score:2)
The groups are called Democrats and Republicans.
And when you use it descriptively, you call them "Republican" senators. So why would the group name not apply?
So it is with "Democratic Senators" with the emphasis on the capital "D".
While it may be less common, both phrases have been in use since the 1800's, according to Google's Ngram viewer. That one is more common doesn't make the other wrong.
Re: (Score:2)
Actually, in this case I suspect submitter used "Democrat" to make the subject line fit within slashdot's arbitrary length limit.
Re: (Score:2)
Re: (Score:2)
Democrat is a noun. Democratic is the correct adjective. Right wing extremists use the noun as an an adjective to annoy Democrats. They enjoy how it sounds like "rat."
Since both parties appropriated actual words and concepts for their titles, I'm not inclined to care much about this.
Republican senators are no less "democratic" than Democrat senators. Nor are they any less democrats, really, but the naming here prevents any perfect solution.
Re: (Score:3)
5 prison term for *individuals* (Score:5, Interesting)
The article is almost gibberish. The proposed law imposes fines and/or a prison term of not more than 5 years, for (1) individuals who know that the data breach law applies, (2) who willfully and intentionally conceal the breach (notably it does not say "fail to notify", but "willfully and intentionally conceal"), (3) in the event that at least $1000 of economic harm occurs to at least one individual.
I'm not a lawyer, but I think the bar for "willfully conceal" is pretty high. I think they're definitely trying to protect "innocent bystanders" who may know about the breach but choose to do nothing for fear of their jobs or livelihoods.
Re: (Score:1)
Yeah, the following is particularly incomprehensible:
"... imposing a five year prison sentence on organizations caught concealing data breaches."
Organizations in the US are not subject to conviction and sentencing to prison. They get to continue living outside prison walls, to hold their meetings, to plot their little evils, to continue to exist. There are no prisons here, no Death Penalties here.
Criminal Enterprises like Enron and Equifax don't do Perp Walks. Oh, somebody may be chosen to do something symb
Re: (Score:2)
Moreover, it is clearly too little, too late. After Equifax, the cat is out of the bag. Emphasis at this point needs to be shielding consumers from the costs and inconvenience of identity theft.
Re: (Score:2)
I agree the imprisonment clause of the law would ultimately be construed to mean prison sentences for individuals, but I think it's an open question which individuals that would turn out to be in a corporate setting.
Section 1041(a) says:
(a) IN GENERAL.—Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both.
So far so good, but then Section 1041(b) explicitly defines what constitutes a "person" subject to the above punishment: ‘
(b) PERSON DEFINED.—For purposes of subsection (a), the term ‘person’ has the same meaning as in section 1030(e)(12) of this title.
That's referring to already-existing 18 U.S.C. 1030(e)(12), which says:
the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity."
So if one or more people in a corporation know of a breach, know the corpor
Re: (Score:2)
And we all know how that will work. We'll establish breach@ourcompany.com as the official place to notify the people who need to know. All employees should email any breach information there. Brian is responsible for monitoring that email address. Now we lay off or reassign Brian.
Someone keeps an eye on it semi-regularly. In a meeting CIO is told about the breach, says, "Did you email our breach contact?" Yes? I'm off to play golf.
5 year prison sentences... (Score:1)
You know no MBA will ever serve one of those, but some poor code monkey who the MBA didn't listen to when he recommended tighter security probably will!
Democrats pretending to not be the political wing of Goldman Sachs is just a joke. Fuck the Republicans too, but at least they're open about serving the interests of fossil fuel.
Re: (Score:2)
Wow, the Russian AC crowd is out in force here.
Yeah, sow the seeds of apathy, demonize American politics in general, divide and conquer.
Wait, is Bannon a Russian agent, too? He seems to be using the same strategy as the Kremlin. Hmm...
Re: (Score:2)
Re: (Score:2)
You do realize that MBAs are a dime a dozen. My wife has two of them, and my 26 yr old kid was just accepted into an MBA program. More likely you meant C-Levels.
It's highly doubtful that any "code monkey" (like my former self) will ever do time for any law like this. That usually flys internally when a company wants to lay blame, but any prosecutor isn't going to bite on that.
Sheep in wolf's clothing from big corporate view (Score:5, Interesting)
Many laws and regulations sold as protecting us from corporations are actually written for the exact opposite purpose - to put ceilings on civil awards.
I'm no attorney and could be misreading the proposed law (yes, I violated slashdot rules by reading both the article and the text of the proposed law), but this one seems to reign in the states by forcing unbelievably low maximum total civil penalties of only $5 million. Many recent breaches deserve far more than that even if reported immediately. You'd have to hit a company like Apple with $1 billion to even get noticed.
In order for penalties to be effective, a major breach should have a significant hit on a corporation's profit for at least a quarter. This does not allow that in the case of larger corporations. The prison term is likely there just to use after a breach to get lower level people to talk. It is unlikely to ever be imposed.
Re: (Score:3)
I've always argued that all fines for any offense should not be fixed monetary amounts, but rather defined as some number of hours or days of the convict's income, depending on the severity of the crime, and calculated accordingly. Let that same rule and calculation apply to corporations as well.
Perhaps a speeding ticket would cost a day's pay: $80 for some people, $80,000 for others. Big corporate misdeeds could require forfeiture of weeks or months of a company's income.
Re: (Score:1)
As you say, fines should be proportional, not fixed.
Re: (Score:3)
That's $5 million per case, the way I see it. I good DA could make every single person who's data has been stolen an individual case.
Re: (Score:1)
Many times this.
Setting a fixed price makes it a fixed-price-liability. Actual damages might differ wildly from these numbers.
I'm all for fining companies that screw up their security and do not come clean about it. But damage that has to be recompensed due to a leak should be calculated from actual (or approximated) damages on a case-by-case basis.
I prefer the dutch (and mostly european) approach more.
After a breach:
- Local (national) privacy authority investigates company
- Privacy authority fines company
Re: (Score:1)
You'd have to hit a company like Apple with $1 billion to even get noticed.
Agree with parent. The wording of the bill says "intentionally and willfully conceals the fact of the breach of security". A good attorney will be able to argue it was not intentional nor willful in many cases - such as Equifax. Never attribute to malice what can be attributed to incompetence as the old saying goes.
What we need in the US is something similar to what Europe is doing. GDPR regulations make it as high as "up to 4% of the annual worldwide turnover of the preceding financial year". That
Re: (Score:3)
Totally agree. The GDPR appears to be much more consumer oriented. This one has all the right words as to what to penalize, but that is just because it needs to make sure that it is overriding all of the right state's laws. The purpose of this bill appears to be to override the state's rights to determine their own penalties and replace that with a maximum that is lower than some of them might impose.
Ironically considering that it came from Democrats, I have similar issues with the way this affects the stat
Re: (Score:2)
I agree that this codifies what appear to be protections. But it then turns around and puts a maximum penalty in place that is too low. This gives it the appearance of codifying the protections just for the sake of overriding the states' existing codes with a maximum that is less than what states might want to impose in order to protect the companies from consumer rights oriented states.
We'd be far better off to just copy the GDPR. This would also keep things consistent. Many of the possible bad actors here
A National Britches Law? (Score:1, Offtopic)
Well.....the Democrats and their Hollywood bros seem to be breaching them often enough without a new law.
did they include themselves? (Score:2)
Re: (Score:1)
Just contact law enforcement (Score:2)
Federal protection if code litter can be found with parts of any foreign language.
Welcome that national security letter and the full protection it offers.
Who gets imprisoned? You can only imprison people (Score:2)
Huh? (Score:2)
"Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal."
I'm sorry, but which special interests exactly are opposed to this? Is there some sort of hacker union lobbying against it?
I rather see a different bill (Score:5, Interesting)
Re: (Score:3)
That all sounds fine, and I agree that it generally would be double plus good, but the implementation would be hellish...
Define "strictest"
Who gets to decide what are the "most modern security measures"?
When do they become obsolete?
How long do they have to transition when to a new measure before getting in trouble?
Who certifies the "independent third party", and how much is an annual review gonna cost my small mom & pop business?
"Democrat" Senators? (Score:2, Informative)
"Democrat Senators"? So the Slashdot headline writers are now following the lead of Jesse Helms and Rush Limbaugh in attempting to change proper naming conventions to serve their own political ends?
Re: (Score:3, Interesting)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Yes! This is what is important! You hit the nail on the head.
Are you fucking kidding me?
Besides people like you, no one sees the term Democrat as any more insulting than the word Democratic. The words are interchangeable to non-partisian people.
Re: (Score:2)
Which is why the hard Radical Right spends so much time trying to forceably change the proper name of their opponent: because it is meaningless. Got it.
Re: (Score:2)
You let things bother you. Some calls me Dave instead of David and I don't freak out.
What? (Score:2)
So, let me see if I have this straight...
Yeah, I'm sure no organizations will abuse that gray area at all.
Get it right (Score:2)
DemocratIC Senators Introduce...
There is no such thing as the "Democrat" party. It's the "Democratic" party. Using "Democrat party" is just a way for Republic politicians to irritate Democrats.
Empowering the hackers (Score:2)
So, riddle me this. Doesn't this allow very amateur hackers to cause major industry upsets? I can walk into just about any office building, and grab some random private information by looking over a secretary's shoulder. I then tell the company (anonymously, sure) that I stole one customer's information. The company then needs to announce to the world that they've been breached.
So little old me, with a few minutes per day, can cause a big corporate to announce a breach of 1 customer every single day.
Soun
Re: (Score:2)
If someone breaks into my home, and steals my neighbour's trinket, I'm still the victim of a home invasion. So the company is also a victim.
Privacy screens and turning the monitor doesn't stop me, as a public customer, from suddenly walking behind the secretary, head-on, and taking a photograph as I walk by.
"Sir! You aren't allowed to be back here."
"Okay. Bye."
Way too late.
Are you going to call the mirror on the other side of the room a zero-day bug? What about the wall of glass windows after dark?
Opposite Effect (Score:2)
How do you incarcerate a corporation? (Score:2)
Re: (Score:1)
Change D to R and you've basically got Fox News and Rush talking points, which are basically marching orders for the Rs.