[SGVLUG] another bad bill
Chris Smith
cbsmith at gmail.com
Tue Nov 29 17:09:39 PST 2005
On 11/29/05, John Riehl <jcriehl at mail.jpl.nasa.gov> wrote:
> another anti-consumer bill.
That's more than a little unfair. While the bill removes certain
features of the California law, it certainly introduces a whole new
set of burdens on people maintaining financial information on those in
49 other states.
On the specific points cited by the guy who wrote this article:
1) He just got it plain wrong that it is up to company's to determine
that a breach will result in a signficant risk of identify theft.
Their security plans have to be submitted to the FTC, and in the event
of a breach, they FTC conducts an audit of the broker's practices (and
they get to conduct annual audits for up to 5 years after the breach).
The FTC gets to set the standards and determine whether someone is in
compliance with them. Sure, you might question the FTC's stewardship,
but I don't see much reason to think some other non-partisan body
would do any better.
2) Yup, indvidual private citizens lose their right to sue companies
for failure to protect their information. Translation: fewer class
action lawsuits for frivulous security failures (because these
failures are generally not going to effect just one person). Instead
it's left to the states' attornies general. In general, law suits are
not the best way to resolve these kinds of security issues. Trust me,
you'll end up with the kind of red tape that means if you lose your
password you'll never get access to your account back, not to mention
significantly increased costs for doing business, which in turn get
passed on to the consumer (which is fine if the costs are tied to
actual improvements in security, but more often than not, they are
just designed to prevent future lawsuits). Unfortunately, trial
lawyers are really only in it for the payout, whereas an attorney
general is more focused on a solution (albiet "political solutions"
can take precedence over real solutions).
3) Enforcement of the law is not left up to the FTC. They have a key
role to play in establishing standards and performing audits of said
standards, but state AG's still get to sue someone who lets data slip
out. Yes, the FTC got a puny $1 million budget to do this work, which
does seem a tad light to me, AFAIK the California bill didn't allocate
a dime for it.
--
Chris
More information about the SGVLUG
mailing list