Comments on: Bill puts cops first in data leak notification

Anyone who holds personal data would be forced to report security breaches to law enforcement before telling affected consumers.

[marileev]

gov action better late than never

Identity theft has been on the minds of Americans for years now, finally there's been some government action on the matter. Individuals and the media have been looking at ways to protect their personal information http://www.essentialsecurity.com/Documents/article16.htm from phishing, keylogging and other malicious means for sometime now.

It's finally time we see some movement on the issue.

[ddesy]

Shame, shame, Congress!

If the public can be kept in the dark for up to 30 days, that leaves plenty of time for the affected individuals to have their information used by the criminals!

[ajbright]

Backwards

What should happen, and never will in this country, is instead of having to inform people when personal data is compromised is to make storing people's personal data without permission a crime.

Simply put, most of the security breaches we hear about would not be possible if the companies involved were not allowed to store that data in first place, and faced criminal sanctions if they were found to be in violation.

All of the credit card issues of the last year involved cases where credit card processing companies stored personal data which directly contravened the credit card companies rules regarding credit transactions. Because there is no law that makes following credit card company rules regarding transaction data mandatory, the companies involved had almost zero incentive to obey those rules.

It's the same with companies that store your credit information, and then sell it to whoever asks without your permission. If they faced sever criminal sanctions for storing that data in the first place, it wouldn't have been available for identity thieves to steal.

So it's all well and good having disclosure laws in place, provided they don't do what this one does and trump more powerful state laws that actually have the teeth to do something if a business is in violation, but this should be combined with a data privacy law that forbids the retention of people's personal data without explicit permission. Not checking a box on a form would not constitute permission. Violations should be punishable with mandatory prison sentences for the owners of any business that fails to abide by the law.

This is the only way we can have any sort of meaningful protection, but because it places a burden of proof on business, and prevents other powerful businesses from exploiting your data it'll never happen until people wise up and vote out every congressman or congresswoman currently in office.

[Stan Kee]

Strange

I never recall any of the companies with security breaches notifying customers anyway. If not for being exposed by the media no one except those who exploit the breach would ever know. More backwards lawmaking from Congress.

[gmcaloon--2008]

This Bill Will Go Nowhere

This ridiculous bill will not even get out of committee, let alone be passed by the full House, not to mention the Senate.

It takes exactly the wrong approach to leaked personal data. It outlaws allowing a company whose data base was broken into and personal information stolen to make the security breach public without first notifying the police who can then delay informing anyone about the breach for as long as thirty days.

The point of public notification is to protect those whose information has been stolen and that requires that the people affected be notified as quickly as possible so they can take steps to protect themselves. Such public notification is mandatory by law in some states, California for example.

Privacy advocates will jump all over this proposal and rightly so because the bill puts the interests of the police ahead of protection for those whose information was stolen. An incredibly bad bill. So bad that, as I say, it will go absolutely nowhere and we can all be thankful for that.