No chance
The lobbyists are doubtless already spraying cash around liberally to make sure this goes nowhere.
New legislation introduced in the US Senate by Elizabeth Warren (D-MA) and Mark Warner (D-VA) would result in credit reporting agencies being slapped with stiff fines if they play fast and loose with data security. The Data Breach Prevention and Compensation Act [PDF] would impose a mandatory $100 fine per person affected on …
Remember this from July 2017?
Democrats (still a thing, apparently) are super unhappy about AT&T's Time-Warner merger ("the party says it stands in opposition to this and other mergers that will reduce competition among cable providers")
Oh, No! A very strongly worded position from the Dems! But a few months and a few $$$ thrown at Dem lobbyists later and there is silence and inaction on the part of the Dems. The Dems investigations into Twitter and Facebook fared the same.
The biggest problem with the bill is size of the potential fines. They are big enough to bankrupt a company in short order (50% of annual revenues). In many cases that would be as bad as the security breach as the company sinks taking other innocent businesses with it.
The bill is poorly thought as far as its effects. Probably a better solution is when a breach is above a certain size or due to gross negligence/incompetence give the C-suiters a personal multiyear, all-expense paid, vacation courtesy of Club Fed with a personal massive 'donation' to the feral treasury.
The biggest problem with the bill is size of the potential fines. They are big enough to bankrupt a company in short order (50% of annual revenues). In many cases that would be as bad as the security breach as the company sinks taking other innocent businesses with it.
Well then they had better be pretty fucking careful with our data in order to keep that from happening.
"give the C-suiters a personal multiyear, all-expense paid, vacation courtesy of Club Fed with a personal massive 'donation' to the feral treasury."
You're talking about job titles. Job titles are what the company chooses to make them. They're just strings of letters. Unless you actually define the roles in your legislation then you have a massive loophole in it. Much easier to go for the directors. Those are already defined in company legislation.
"Sure it will, it will make companies more willing to invest resources in preventing future breaches instead of just assuming they can take a brief public black eye when it hits the press and move on."
Sure it will, it will make companies more willing to invest in covering up breaches and obfuscating the number of affected individuals.
It's time to hold the executives and board of directors directly accountable in all corporate transactions, including the so-called "limited-liability" corporations.
Fining a company into rubble won't work and there are corporate shenanigans that can make a non-controlled entity totally liable in case there are problems.
I'd really like to see some strict financial ties between an officer's wealth and the liability of the company; both during the officer's tenure and some period (5 years?) post tenure.
For every individual that the company holds compromising information about, there should be a surety bond tied to the company and officers. This bond should be able to be exercised by an aggrieved party (or class) with a simple finding of fault.
Any company that offers a "free credit check" as a result of their malfeasance should immediately be dissolved and any officer forced to take credit counseling courses.
Until they hold the directors or "C' suite criminally liable. No one will care.
With a potential $1.5Bn fine. The exec's will look at dissolving the company take their overly large bonus packages and flick the Government the middle finger as they walk out the door. There are just too many ways to dodge corporate responsibility. until they fix that, this is just smoke and mirrors.
This looks to me like a more specific version of GDPR, with significantly higher penalties. While GDPR itself doesn't become law until May, I'm aware of some companies (including mine) already making preparations. Why then the objection to this one that it is useless unless executives are directly exposed?
So they've finally begin to notice.
I wonder how long it will take before they start to think in wider terms than credit reference agencies. I suppose there's a factor limiting that. Given the number of breaches with US Gov't agencies if they made it a blanket law they might have to build in exemptions for gov't and that mightn't look too good. It might even start the plebs thinking about all the data gov't collects and that could be a really scary outcome for them.
This post has been deleted by its author
The problem is not going to go away until executives can be personally prosecuted for gross negligence if it can be demonstrated that they willingly and knowingly failed to implement adequate security policies and programs.
We keep hearing about employees in the trenches who flag security issues, only to have it go no-where. They often do this at their own peril and frequently it does not lead to an improvement in the company's security posture.
In addition, we need be a public clearinghouse where customers can report security issues. That too should have some teeth. If a company fails to address a reported issue and it results in a breach, that should be grounds for meaningful penalties. In addition, some agency must have enforcement powers to go after companies that fail to fix reported issues. Any enforcement action should be made public.
There should also be a timed trigger for publication of reports. Give a company some time to fix the issue and make it public after the deadline. No pulling punches here - let's use the PCI-DSS standard of one month (after patches are available) for CVEs that are rated 4 or higher.
While I'm on the subject, the legislature needs to codify the meaning of "adequate security". As a starting point, maybe require PCI-DSS compliance as a baseline for all PII (not just credit cards) and also require adherence to the NIST security standards.
Massachusetts tried to pass a bill to hold executives personally liable for security breaches, but I don't believe it became law.
As for this proposed fine, as a rule of thumb, companies already assume that it will cost an average of $200 per breached account (direct and indirect costs). Some of that can even be mitigated by purchasing an insurance policy.
Elizabeth Warren has been tossing out a lot of useless bills in an effort to get her face in front of a camera, and this proposed bill is no exception. Don't be shocked if she claims to have 'computer geek' heritage.
Anyone with more then 2 years experience in IT can see it's a bunch of crap done half-hazardly. It's missing far too many things and doesn't hit details required and powers needed for a true "Information Security Tsar" office covering consumer information by businesses and organizations.
Also, this bill addresses two very different things. An office and a penalty; with no policy in place.
How about we first create the office/organization, then create policy, and finally create penalties.
This way, experts who know what they are doing put something together. Not some lying politician who hopes to be president some day.
As this law is focused primarily on the credit bureaus and the way they create consumer databases and sell services based on that data, the bill should have addressed the cost that gets passed onto the victims when a breach occurs. Fines do not pay the victims a red cent. The costs can be in the thousands.
Currently if the consumer has their data stolen, they are left with dealing with the consequences. Offering a 'free service' from the same company that lost the data in the first place, does not address the fact that harm has already been done and the costs that the individual must endure to clean up the mess. Also a victim has to prove that they have been harmed by the breach itself. Legal fees are not cheap.
I can see a need to impose a fine on the company for a data breach and that should cover the government's investigation and administration costs with an ongoing fund for legal costs. That will effect the company's bottom line, but it will be specific to the situation. As far as punishment and deterrents for he company's leadership, the lawmakers should have introduced a felony charge that can be associated with this type of corporate indifference. The execs will need to deal with the prospect of having a criminal record and possible jail time. That will influence their behavior, attitude and vigilance.
If the investigation determines harm has occurred, then the company is then responsible for covering the victim's financial costs. The company can not use their own service offerings for this.
The bill that these 2 Senators have produced is ridiculous. It is obvious that a court challenge would render it absurd. The company would be absolved of the fines and and the wrong doers would walk away unscathed.
You knew there would be attempts to change law after it happened, but this particular example falls sadly short of the mark.
What's worse is that in this particular case was a company not with "customers" but with unsolicited worldwide non-optional data grabbing. If anything, the first law we need is to abolish the credit score trio and the second is to establish that any such replacement be specifically opt-in by design. And then we can start discussing the proper way to handle basic security practices and culpable negligence for any lack thereof, and the liability to those who made the decisions and approved of them within the corporate structure.