Democratic Senators propose federal breach disclosure law with 5-year prison sentences for covering up data-loss


#1

Originally published at: https://boingboing.net/2017/12/01/uber-equifax-valdez.html


#2

The timing of this is interesting. It will be interesting to watch and see when and where this fails.


#3

It really is about time. Anyone can be breached but keeping the breach secret is inexcusable.


#4

I’m sure, with the current political climate and people in charge, that this proposal stands a very good chance of passing. And by “passing” I mean “passing away, kicking the bucket, buying the farm, biting the dust, fading away, giving up the ghost.”

I am sorry for my sarcasm, but there’s no way it can pass! This is a stillborn proposal at best, so what is it beyond democratic grandstanding?


#5

It’s simple. The Democrats are a minority in the Senate and House; the Republicans aren’t interested in giving them any sort of legislative accomplishment. So, it will fail.


#6

That was indeed my point. It will die in committee.


#7

Well, either it’ll pass and well maybe get a few protections, or it’ll be a cudgel to beat the GOP with next time we get Equifax’d.


#8

Unfortunately, that cudgel is not very strong when the GOP will continue to not give a shit nor will their voter base even though the breaches affect them.


#9

Simple, it’s a very loud and clear message to these tech companies: “Cut that shit out and behave yourselves, or else we will go after your C-suite with a big, spikey stick”.

It’s a warning and a preview of what the Dems will do when (at this point, quite soon!) they regain some power in Congress. Floating these bills now is just giving the tech execs fair warning that they’ll personally be held accountable if they don’t stop playing silly buggers with people’s data and causing direct harm to millions of users.


#10

This is all fine while we’re hating on Uber, but this law is going to apply to everyone. Anyone with customer data is going to be liable for this kind of thing, and to me the penalty seems excessive.

If it’s anything like HIPAA, which governs breaches of medical privacy, I expect it to be similarly excessive and vague - the HIPAA laws don’t even make clear what “private health information” actually is (you are just supposed to guess), but the penalty if you are found to have leaked such a thing (whatever it is) is thousands, possibly millions of dollars. And the liability is personal, not institutional, so individuals are on the hook for these huge punitive fines.

The result is an enormous apparatus devoted to maintaining a nonsensical regime of data privacy with poor definitions, difficult enforcement and draconian penalties for a crime of often dubious impact.

Of course, privacy concerns are real, data should be kept secure, and customers have a right to know when things have gone wrong, but the idea that we’re going to achieve this merely by slapping huge criminal penalties on breaches is idiotic.

As a coda, let’s remember that the same government that is passing these laws also developed some of the best tools for creating these breaches.


#11

Yes, but along with that loud and clear message is the unspoken logic that the big spiked stick will never come into play; it’s got all the threat potential of Dad scaring you by saying he’s going to whip you with the never-seen belt studded with fishhooks that tear flesh from the body. The first time you hear about it, terrifying. The 12th time you hear about it, it’s a parody of a threat.


#12

I sort of disagree, I think this is closer to the metaphorical equivalent of dad having a bunch of fishhook-belt magazines laying around, showing that he’s doing his homework and is planning on buying one in the near future if you don’t get it together.

Passing the bill would be buying the belt, and then actually using it would be, well, enforcing the law when unreported breaches occur.

It’s a much bigger step than an empty threat. Although it might be interpreted as grandstanding, it really does show that more effort has been made than just saying “behave or I’ll flay you”.


#13

I’m not going to lug my own stupid analogy any further. At the heart of it, I believe that without an enforceable law, the unscrupulous will always be willing to roll the dice, threat or no, in the face of potential profit. Grab now, justify later, all else is moral fodder for those who have morals. So if you can’t make the law, don’t bother. It is wasted effort that could have gone towards producing something concrete, not vaporlaw. Because cynical old me believes that the big bag of cash plays both sides of the field, and if/when the Dems get back in the drivers’ seat, all of a sudden the actual power to make the federal breach disclosure law a reality will somehow never get applied. Wash, rinse, repeat.


#14

You know, it helps when the law has teeth. Every year we get the same training about the do-not-call list, and the ten thousand dollar fine for one mistake. Except it’s the TEN THOUSAND DOLLAR FINE FOR ONE MISTAKE!!! Fines work best when they’re much, much bigger than the profit on an infraction.


#15

Congress doesn’t “want to upset the technology community with obtrusive regulation,” but the private sector has been poor in instilling confidence that it will act in the public’s best interest, he said.

While this may be true, he could say the same thing about Congress.


#16

“Democratic Senators propose a further expansion of the powers of the fascist-controlled police state”.


#17

The prison penalty makes doubly sure this bill will fail. Jail time for corporate executives? It is to laugh.


#18

Under this bill, what penalties come into play when a government agency leaks personal data??


#19

Encrypting a database/data pool/whaterver only goes so far. Its a good preventative measure but at some point the data has to be decrypted to be usable and that in and of itself needs to be accounted in the threat modeling. Among many other things like how/where the decryption key is stored, access control, etc. etc. etc.


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.