Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

The Data Accountability and Trust Act (DATA)

Posted by Zonk on Tue Apr 04, 2006 09:53 AM
from the not-a-terrible-idea-for-once dept.
Security Government Politics
An anonymous reader writes "The U.S. House of Representatives will soon be considering the Data Accountability and Trust Act (DATA). If passed it would require all companies to inform customers of security breaches that affect their personal data. The bill requires consumers to be told if their privacy has been violated because of a breach. Under the proposals, if a breach does occur, a company must notify any customers concerned and the FTC, which can then demand an audit."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

The Data Accountability and Trust Act (DATA) 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Long Overdue (Score:5, Insightful)

    by TripMaster Monkey (862126) * on Tuesday April 04 2006, @09:55AM (#15057399)

    It's about time a law like this was enacted.

    On the average, I tend towards favoring less legislation, rather than more, but the simple fact is since it is not in the companies' best interests to disclose information about security failures, it can't be too much of a shock when they decide not to. This law is necessary to safeguard the information that citizens entrust to these companies, and given how inextricably our society is intertwined with the digital realm in this day and age, it's way overdue.

    • Re:Long Overdue (Score:4, Informative)

      by TubeSteak (669689) on Tuesday April 04 2006, @10:25AM (#15057699) Journal
      This is going to lead to a certain amount of data hysteria once it gets passed.

      Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

      "Your information is unsafe" will become a new media theme, along with "kids shooting up schools", "female teachers sleeping with students" and "pretty white girl goes missing".

      BTW - businesses cannot go around redefining "breach" or "personal information", because the bill defines exactly what those are.

      If you read the text of the bill [loc.gov] they've dodged out on specifying some of the trickier parts by using language like "Not later than 270 days after the date of enactment of this Act" to require the definition of certain aspects of the bill. Very poor idea, as it gives the lobbyists something to aim at weakening.

      It's sponsored by a Republican from Florida and co-sponsored by a stack of other R's. Good idea, possibly poor implementation.
      • Since most people don't know that shit like this happens on a regular basis, once it starts getting reported regularly, the news media is going to pick up and run with it.

        Don't worry, after a couple months it will become such a beaten dead horse, everyone will think "Oh, this stuff happens all the time. My chances of having my identity stolen are next to nil." And the notice gets tossed in the trash never to be worried about again.
      • It should be implied as interpreted through our Constitution, and amendments, etc.

        What? How? You can't just pretend those documents say something they don't. Well, you shouldn't.

        We can't publish sensitive data from a major corporation on the Internet, or we would get sued.

        What makes you think that?That being said, it should be implied, understood, and common practice to prevent big business from doing some of the things that they should be doing in the first place (privacy violations, overcharging, ba

          • Re:Long Overdue (Score:4, Interesting)

            by amliebsch (724858) on Tuesday April 04 2006, @11:03AM (#15058072) Journal
            The same law that prevents me from spying on my neighbor, and collecting information about him

            But what law would that be? I am not aware of laws that prohibit you from logging what your neighbor does, or watching him from your property. You can't trespass on his property of course, or steal his garbage - but what law prevents you from tracking all information he allows to flow onto your property?

      • I think a MUCH better law, would be to legislate that one's personal data belongs to THEM, and that any company has to ask permission to house such, and MUST request permission to sell personal data or offer it for sale at all.

        If you could enforce personal data privacy, a great deal of this industry of gathering and selling personal data would dry up...and therefore there would be less personal data spread all over the spectrum with dubious security protecting it.

        • You said: I think a MUCH better law, would be to legislate that one's personal data belongs to THEM,

          Thighter definition is required than what you propose. I admire your sentiment, I really do. But it will never fit into law.

          Look at patent law. The idea of "An Invention" is left undefined in the law. And this leads to a lot of scope creep.

          If the law was defined as you mentioned, where do you draw the boundary of "Personal Data"?

          e.g.:
          Eye Colour
          Retina Pattern
          A fingerprint
          A fingerprint and the finger

  • Across corporate America (Score:3, Insightful)

    by tropicdog (811766) on Tuesday April 04 2006, @09:58AM (#15057430)
    I predict that the definition of "breach" is being redefined in boardrooms across the land. If it doesn't meet the new definition, they won't have to report it. Same old song and dance.

  • wtf (Score:3)

    by Thaelon (250687) on Tuesday April 04 2006, @10:01AM (#15057462)
    How the hell would you know if this law was ever broken if they don't tell anyone?

  • Exemption... (Score:5, Insightful)

    by Olmy's Jart (156233) on Tuesday April 04 2006, @10:08AM (#15057539)
    But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.
    • But it's got a gotcha. There's an exemption if they encrypt their data - even if the encryption is lame or broken. If they encrypted their data, they don't have to notify anyone. That's a loophole to drive a world class semi through. And there are fears that it will superceed laws like those in some states, such as California, which have no such exemption.

      Even if the encryption isn't lame or broken, it's still data out there on the loose. How long would it take to crack, given all the available informatio

    • Re:Exemption... (Score:5, Informative)

      by amliebsch (724858) on Tuesday April 04 2006, @10:30AM (#15057746) Journal
      There's an exemption if they encrypt their data - even if the encryption is lame or broken.

      It doesn't say that! Stop making stuff up.

      The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

      Now perhaps there are encryption algorithms approved by the NIST that you feel are not sufficiently strong - though you haven't given any examples - but to claim that you can use any old encryption algorithm is FUD, pure and simple.

    • From The Bill: (Score:4, Insightful)

      by TubeSteak (669689) on Tuesday April 04 2006, @10:31AM (#15057767) Journal
      http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.412 7: [loc.gov]
      Sec 5. (1) ...The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised
      That's a great clause, even though it opens the door to conflicting expert opinions. They absolutely have to include a reporting mechanism into the law, so that there is a timely way to get the issue heard and resolved.

  • Existing medical laws (Score:3, Interesting)

    by PIPBoy3000 (619296) on Tuesday April 04 2006, @10:25AM (#15057696)
    At my organization, we recently passed some policies around the release of medical information. Essentially we're complying with existing laws in Washington, where we have hospitals, so mostly we're being consistent across our organization.

    What it means is that if medical information somehow gets outside of our organization without our permission, we need to notify patients. This can get extremely expensive in cases where large amounts of records get lost or stolen. There's an exception in the law that lets us publish ads in major papers instead of sending out letters. I think the barrier is around a million dollars or so before we switch to ads.

    Is this a good thing? My son's medical information was on some backup tapes stolen from the back of a car from a different healthcare organization. I personally don't care about it and it's unlikely the information gets used for malicious purposes. The cost for sending all the letters was in the hundreds of thousands of dollars most likely. Costs like that would bankrupt small organizations, though in today's healthcare market, it's becoming the price of doing business.

    What'll probably happen is that big organizations will bear the cost of this in stride, while smaller organizations will have yet another risk that might shut them down at any moment.

  • DATA Breach Timescape (Score:5, Funny)

    by digitaldc (879047) * on Tuesday April 04 2006, @10:41AM (#15057855)
    PICARD: What's the problem, Mister Data?

    Data turns to them.

    DATA: I believe I have discovered the cause of the identity theft. There is a hard core data data breach in progress.

    They react. Data indicates the phishing email on the screen. They walk up to it...

    DATA: It is the flashpoint of a privacy invasion. And it is expanding.

    PICARD: Expanding... I thought phishing scams were suspended on this ship?

    DATA: We were incorrect. I have determined that email scams are moving forward at an infinitesimal rate.

    TROI:Why didn't we notice it before?

    DATA: Our initial conclusion was based on our observations of the crew. A data breach moves at a much faster rate. The motion of the email is within my neural detection threshold. Based on its current expansion rate, it will consume the crew's identity in approximately nine hours, seventeen minutes.

    PICARD: Is there any way we can stop it?

    DATA: It is no longer a question of stopping it, sir. The explosion of phishing email has already occurred -- The fact that it is moving slowly changes nothing.

    Picard stares at the screen for a long moment...becoming very thoughtful...

    PICARD: Astonishing... to see our identities stolen like this...

  • Coming soon to a workstation near you (Score:5, Funny)

    by PrvtBurrito (557287) on Tuesday April 04 2006, @10:41AM (#15057862)
    Dear PrvtBurrito,

    We recently noticed that your PayPal account was compromised. As required by law we are informing you of this breach. In order to reprocess your new secure account, please log in to PayPal and rectify this situation:

    [Click here to update your account]

    If you choose to ignore our request, you leave us no choise but to temporaly suspend your account. We ask that you allow at least 72 hours for the case to be investigated and we strongly recommend to verify your account in that time.

    Thank you for using PayPal (or whatever service is being spoofed)!

  • US Dept of Acronaming UDA (Score:4, Funny)

    by rakerman (409507) on Tuesday April 04 2006, @10:51AM (#15057943) Homepage Journal
    Is it just me, or do these legislators spend more time thinking up clever titles that spell out words than on the actual content of the bills?

  • Secure Transactions (Score:3, Interesting)

    by Doc Ruby (173196) on Tuesday April 04 2006, @11:08AM (#15058123) Homepage Journal
    I want that law to define "security breach" to include any disclosure of personal info outside the immediate transaction into which the person delivered their info. To apply copyright protection to personal info, licensed for copying by the recipient solely to complete that immediate transaction. People pay for a huge public infrastructure to protect corporate info, including commercialized copyrights. We should have at least the same strength protection on our own info. Until corporations have that strong financial incentive to protect even one person's data, they will of course take the cheaper/profitable course, which exposes people to damage.

    • Re:So how much is this going to cost? (Score:5, Insightful)

      by Theatetus (521747) on Tuesday April 04 2006, @10:01AM (#15057468) Journal

      You work for ChoicePoint or something?

      Why the hell do people bristle so much at corporate regulation? A corporation is chartered by the state; it's not like you have some God-given right to run whatever business organization you want in whatever way you want without somebody watching what you do.

    • Re:So how much is this going to cost? (Score:5, Insightful)

      by Anonymous Brave Guy (457657) on Tuesday April 04 2006, @10:09AM (#15057548)

      The problem is, if they're going to have to 'fess up, but then get away with nothing more than a slap on the wrist anyway, then this law is unlikely to do much to improve the security of personal information and the integrity with which it is handled. What they ought to do, IMHO, is enact a law that both requires disclosure and hits the offender with a financial penalty proportionate to the damage caused and the degree to which the offender's negligence caused it.

      If a business carelessly loses 1,000 customers' credit card details but then gets hit with a dent to their bottom line of 1,000 x $AVERAGE_COST_PER_CARD_FRAUD + $COSTS_INCURRED_BY_AUDITORS + $SIGNIFICANT_PENALTY_CHARGE, then maybe it will become enough of a priority on the executive radar to do something about it. Similarly, if identity thefts or other more serious consequences arise, the costs of cleaning those up can be incorporated into the penalty; naturally, this should include compensation for the time spent by the affected individuals and any third parties they had to deal with to fix the problem.

      At the same time, this approach removes the financial burden of conducting after-disaster audits from the taxpayer, and passes it onto the offending party instead.

            • ChoicePoint

              They created an entire new division that ONLY deals with privacy and security issues, have institued a number of new policies, ALL employess now go through extensive background checks (causing my team to have to turn down a couple of otherwise good applicants due to irregularities that they couldn't explain) and a $10 million fine at the end of last year.

              Sure, but were the various security improvements because of bad PR, or because they didn't want another $10M fine?

    • Re:Recursive Acronym! (Score:4, Informative)

      by amliebsch (724858) on Tuesday April 04 2006, @10:36AM (#15057807) Journal
      I don't think it counts as recursive, because the "Data" that is in the name of the act is NOT referring to the acronym "DATA," it's referring to the actual word "Data." To be recursive, an acronym must be self-referential, but this one is not.
    • Apparently, there was a recent security breach relating to a computer housing data from one of the retirement programs in the state of Georgia. Data was stolen, including names, SSNs, banking info, etc, and the state sent a form letter with applications for retrieving credit scores. Although this isn't quite the same as what you are saying, it is a breach that occurred on the government's watch. Do government agencies have the same notification duties as companies under this new legislation? Who holds g
    • This is an unnecessary law. If you make a contract to trade with a party, put in the agreement that you want your information to be private and you want them to notify you of any breach of that agreement. If the company won't do business with you, don't buy from them -- if you want a cheap price, you might be willing to forgo this contract feature.

      That's nice in theory, but one of the reasons we have government regulation is to help mitigate the asymmetry of power that prevents individuals from ever negot

      • it addresses abuses of individual customers (a.k.a. "consumers" or "cattle") by the industry when the market has failed.

        I don't believe the market has failed in terms of privacy -- it is the mountain of previous regulations that have given preferential treatment to companies with ties to government. As an entrepreneur myself, I know how bad it is to get into many markets -- it is not competition that scares people off, it is excessive regulations.

        Most of the acronyms you listed have their basis in previous

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.