US-based companies would be required to report data breaches that threaten consumer privacy and could face stiff penalties for concealing them under federal legislation that was introduced in the Senate on Tuesday. The Personal Data Privacy and Security Act aims to set national standards for protecting the growing amount of …
Bill protecting the consumers from errors of corporations? In United States? Good luck getting that one accepted.
I predict if this becomes a law that the Federal Government will of course be exempt.
No problem Zippy, we'll just make Corporations subject to USC 5 and USC 13, oh, and don't forget that FOIA requests apply to persons, not only citizens.
...if this were to pass, you would then start seeing a "waiver" program put in place "give give companies a level playing field" , supposedly for smaller companies that can not afford the same protections of larger companies , but the only companies that will be able to get the waivers will be the big companies.
Gosh, that sounds awfully familiar... I'm not sure where I've seen it before, but it is making me sick just thinking about it.
Will individuals be mandated to have data breaches, and will there be government subsidies if you cannot afford one on your own?
three outcomes should this pass into law.
#1) Data breaches will cease to be news for the same reason that "There's a new virus in the wild" isn't news anymore.
#2) Big companies will, initially, spend more on security to avoid embarrassment. However, once #1 takes hold, that positive effect will go away.
#3) As Zippy said, the federal government will be exempt.
Telcos already guilty?
I've read articles that the large telcos are leaking data like a sieve. And almost all that data is going to a hacker collective that calls itself NSA...
Who exactly will go to the jail? The CEO, CIO, or some engineer "responsible" for security whose recommendations to improve security were shot down
Its called covering your ass...
That is why you put everything in writing.
"These are my suggestions of what we need to do to meet compliance with this new bill."
If your boss then shoots this list down for whatever reason, he's the one that goes to prison... Coming from the Aerospace field where if a plane goes down and its your part thats responsible then you go to prison, makes you very aware that covering your ass is very, very important...
"... [develop] a comprehensive national strategy to protect data privacy and security..."
How's this for a strategy to protect my data privacy and security:
For *all* organisations (Commercial, Governmental, Telcos, and Landline ISPs):
-- -- 1. Don't track my browsing activity with persistent Cookies/Flash LSOs/DOM storage.
-- -- 2. Don't store *any* of my account info in an unencrypted format.
-- -- 3. Don't require me to opt-out (as opposed to opt-in).
-- -- 4. Don't accept data from client web browsers without sending it through a string-scrubber first.
-- -- 5. Don't use unencrypted sessions to perform *any* sensitive transactions (not just financial).
-- -- 6. Don't send GPS or other location data upstream without asking first.
For Landline ISPs:
-- -- 7. Don't perform deep-packet inspection to target advertising and/or manage traffic; respect the sanctity of my packets.**
-- -- 8. Don't snoop on what I do without a legitimate court order supported by concrete evidence.
There... Was that so hard?
** (General traffic management without packet sniffing, such as "pay $XX/month for YY Mbits/sec bandwidth" is OK by me. The more I pay, the more I get. How I use it is *my* business.)
Can I have some of what he's been smoking please? ^^^^^
Must be good shit.
In our dreams, such stuff is made...
Lawyers will never accept it!
Not enough ambiguity to line their pockets on.
Tired of password reuse and non-hashing
Solution: mobile phone based public key security.
1. Android app to generate public/private key pair on your phone
2. Store the private key in a secure area on the SIM
3. NFC enable phones to sign transactions
4. Add NFC readers to PCs and POS terminals
5. Add a thumbprint reader to phones like the Atrix already has
6. Pay for things at the super marker, and log into gmail via the same secure method
RSA never has access to your private key, no one can forget to hash your password, replay attacks are over, public keys can be blacklisted over the web when a phone is lost. C'mon guys, it isn't that difficult!!!
Why did RSA have a central database of seed values anyway? The only purpose I can think of is to spy on their clients (possibly on behalf of the USG)