Text 8401, 110 rader
Skriven 2005-11-25 08:28:58 av Rich Gauszka (1:379/45)
Ärende: the DATA Act - or how congress f**ks up legislation
===========================================================
From: "Rich Gauszka" <gauszka@hotmail.com>

It looks like our congress critters are trying their best to water down yet
another piece of legislation


http://www.infoworld.com/article/05/11/25/48OPsecadvise_1.html
After the ChoicePoint debacle this year, the U.S. Congress decided to get
involved. Congress was tired of companies not affected by California's law
getting away with not reporting lax security.

Finally, I thought, we will get some accountability.

Unfortunately, it appears highly likely that a weaker federal law -- which
would invalidate stronger state laws like California's -- will be passed. The
Data Accountability and Trust Act, or DATA Act, defangs the primary intent of
the California law and will ensure that the public will rarely be informed when
their personal information has been compromised.

And the House Committee on Energy and Commerce is bragging about this.

Although the law has some new, welcome measures (such as requiring every
covered company to appoint a specific person to be accountable for information
security), it has three big problems:

1. It allows the company that suffers the security breach to determine, alone,
if the breach will result in a significant risk of identity theft. That leaves
foxes guarding the hen house.

2. It invalidates state laws allowing private citizens to sue companies that do
not adequately protect their information, like the California law allows.

3. Enforcement of the law will be left up to the already underbudgeted and
overworked FTC; and it specifically under-funds this initiative by providing
only $1 million in additional monies. Would that even cover the paper costs of
printing press releases about the new act?

The first point basically invalidates the central point of California's law,
and it doesn't make sense from a consumer standpoint. We don't want the very
same people who employed weak security in the first place and allowed our data
to be compromised to be the ones who are trusted to determine if the threat is
serious or not. Heck, if they could have made that determination in the first
place, they wouldn't have had such weak security.

What CEO in his or her right (business) mind would proactively notify consumers
after significant damage has happened? The CEO might even be in danger of
stockholder lawsuits if he or she did proactively warn consumers.

And how would a corporation define a "serious" threat? In corporate accounting,
fraudulent financial statements are not restated unless the previous
misstatement is 5 percent or greater (the materiality rule). Applying that
reasoning to a security breach, if only 4 percent of consumer accounts out of
20 million accounts stolen are used in identity theft, does the company have to
report it?

The DATA Act reminds me of the CAN-SPAM act. When we heard that Congress was
going to make spam illegal, we celebrated. Then, we cried as the true contents
were revealed, and we watched bad politics and corporate influence destroy any
opt-in law that could have done something about the problem.

Like the DATA Act, CAN-SPAM was written to "not overly burden corporations with
undue restraint" and to "prohibit costly and disruptive lawsuits." Politicians
decided to appease corporate interests while making the generally
unknowledgeable public feel as though something was being done about the
problem. Instead, spam has increased since the act's release.

Some proponents of the DATA Act say that requiring consumer announcements every
time consumer information is stolen will result in consumers not paying
attention to the alerts. What a bunch of imaginative crock! I might barely pay
attention when I hear of some company or college I don't belong to being
hacked, but when it's my credit card company, store, or bank, I want to know --
each time, every time.

It's precisely the threat that companies must notify consumers each time that
makes the California law so useful: It finally requires that the CEO and board
of directors pay attention. And, notifying all consumers is costly -- one
survey I read said that notifying customers after a security breach cost
companies about $70 per notification, and that 40 percent of affected customers
at least considered ending their affiliation with the breached company.

The mere fact that 40 percent of affected customers considered ending their
relationship with an entity begs for full disclosure of security breaches.
Forty percent of people, whether it impacted them or not, thought the
information important enough to affect their lives. Congress, are you
listening?

The information provided on the House Committee on Energy and Commerce's Web
site says the following: "The FTC says that over a one-year period, nearly 10
million people had discovered that they were victims of identity theft.
Estimated losses translated into $48 billion for businesses and $5 billion to
consumers." How many of next year's consumers will not by notified if the DATA
Act passes?

Take 15 minutes tonight to e-mail your state representatives about the DATA
Act's shortcomings (H.R. 4127). The poorly written bill was passed along party
lines out of a House Energy and Commerce subcommittee on Nov. 3, and it will
now go on to larger votes in the Energy and Commerce committee, then the House
of Representatives and the Senate.

And there is another option available: as we go to press, the Senate is set to
vote on a similar bill that passed out of subcommittee, the Personal Data
Privacy and Security Act of 2005, S.1332, and the related S.1789 bill. Although
any exceptions supercede state laws, this proposed law has hard and fast rules
over materiality (more than 10,000 personal records compromised), imposes jail
terms for those who willfully neglect to notify affected consumers, and
contains a lot of other very welcome language. It's not perfect, but let's hope
the Senate version is pushed to the House vs. the other way around.

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)