back to article Leaky credit report biz face massive fines if US senators get their way

New legislation introduced in the US Senate by Elizabeth Warren (D-MA) and Mark Warner (D-VA) would result in credit reporting agencies being slapped with stiff fines if they play fast and loose with data security. The Data Breach Prevention and Compensation Act [PDF] would impose a mandatory $100 fine per person affected on …

  1. Anonymous Coward
    Anonymous Coward

    No chance

    The lobbyists are doubtless already spraying cash around liberally to make sure this goes nowhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: No chance

      Being sponsored by a couple of Democrats tells you this is going nowhere. The lobbyists won't waste their cash opposing this, because they don't need to.

      1. kain preacher

        Re: No chance

        Normally I'd agree with that but it was Democrats that repealed Glass–Steagall under Clinton It was also democrats the repealed the federal usury laws . They got way to much money in their pockets.

        1. Anonymous Coward
          Anonymous Coward

          Re: No chance

          Democrats write lots of bills that make wonderful headlines but have no chance of passage even when they control the White House and both chambers of Congress. This is so they can campaign on a record of "trying" to do the right thing. Horrible creatures.

      2. BillG
        Mushroom

        Re: No chance

        Remember this from July 2017?

        Democrats (still a thing, apparently) are super unhappy about AT&T's Time-Warner merger ("the party says it stands in opposition to this and other mergers that will reduce competition among cable providers")

        Oh, No! A very strongly worded position from the Dems! But a few months and a few $$$ thrown at Dem lobbyists later and there is silence and inaction on the part of the Dems. The Dems investigations into Twitter and Facebook fared the same.

    2. a_yank_lurker

      Re: No chance

      The biggest problem with the bill is size of the potential fines. They are big enough to bankrupt a company in short order (50% of annual revenues). In many cases that would be as bad as the security breach as the company sinks taking other innocent businesses with it.

      The bill is poorly thought as far as its effects. Probably a better solution is when a breach is above a certain size or due to gross negligence/incompetence give the C-suiters a personal multiyear, all-expense paid, vacation courtesy of Club Fed with a personal massive 'donation' to the feral treasury.

      1. User McUser
        Holmes

        Re: No chance

        The biggest problem with the bill is size of the potential fines. They are big enough to bankrupt a company in short order (50% of annual revenues). In many cases that would be as bad as the security breach as the company sinks taking other innocent businesses with it.

        Well then they had better be pretty fucking careful with our data in order to keep that from happening.

      2. spacecadet66

        Re: No chance

        Yes, it would be a shame if there were serious consequences for a serious blunder.

      3. Doctor Syntax Silver badge

        Re: No chance

        "give the C-suiters a personal multiyear, all-expense paid, vacation courtesy of Club Fed with a personal massive 'donation' to the feral treasury."

        You're talking about job titles. Job titles are what the company chooses to make them. They're just strings of letters. Unless you actually define the roles in your legislation then you have a massive loophole in it. Much easier to go for the directors. Those are already defined in company legislation.

    3. Anonymous Coward
      Anonymous Coward

      'lobbyists are doubtless already spraying cash'

      Or they're cynically laughing over cigars & wine, that the Do Nothing Congress will never get around to passing it... Even if they come close, POTUS and his comb-over can kill it anyway...

  2. herman

    If they don't back date the law, it won't be much use.

    1. Anonymous Coward
      Anonymous Coward

      Sure it will, it will make companies more willing to invest resources in preventing future breaches instead of just assuming they can take a brief public black eye when it hits the press and move on.

      1. Mark 85

        Exactly... I don't think a law can be backdated so this is preventive in nature.

      2. DontFeedTheTrolls
        Pirate

        "Sure it will, it will make companies more willing to invest resources in preventing future breaches instead of just assuming they can take a brief public black eye when it hits the press and move on."

        Sure it will, it will make companies more willing to invest in covering up breaches and obfuscating the number of affected individuals.

        1. Doctor Syntax Silver badge

          "Sure it will, it will make companies more willing to invest in covering up breaches and obfuscating the number of affected individuals."

          No change there, then.

    2. kain preacher

      you can not back date laws in the US

      1. Claptrap314 Silver badge

        Except for taxes. See the 1993 tax bill for an example. And someone's wife having her pay moved into 1992 to avoid it.

  3. Anonymous Coward
    Anonymous Coward

    Better Read It Again Folks

    This could also be an attempt to limit the corporation's liability to the consumer to only $100 per person plus $50 for each piece of PII.

  4. elDog

    So many flaws even with good intentions

    It's time to hold the executives and board of directors directly accountable in all corporate transactions, including the so-called "limited-liability" corporations.

    Fining a company into rubble won't work and there are corporate shenanigans that can make a non-controlled entity totally liable in case there are problems.

    I'd really like to see some strict financial ties between an officer's wealth and the liability of the company; both during the officer's tenure and some period (5 years?) post tenure.

    For every individual that the company holds compromising information about, there should be a surety bond tied to the company and officers. This bond should be able to be exercised by an aggrieved party (or class) with a simple finding of fault.

    Any company that offers a "free credit check" as a result of their malfeasance should immediately be dissolved and any officer forced to take credit counseling courses.

    1. Anonymous Coward
      Anonymous Coward

      Re: So many flaws even with good intentions

      A simpler solution would be to classify corporations as machines and require the term legal person to refer exclusively to living homo sapiens.

      Job responsibilities define legal liabilities.

      Caveat: It will never happen.

  5. FozzyBear
    Mushroom

    Until they hold the directors or "C' suite criminally liable. No one will care.

    With a potential $1.5Bn fine. The exec's will look at dissolving the company take their overly large bonus packages and flick the Government the middle finger as they walk out the door. There are just too many ways to dodge corporate responsibility. until they fix that, this is just smoke and mirrors.

  6. Kabukiwookie
    WTF?

    "$100 fine per person"

    Just $100? How about full compensation for the potential cost of someone having their identity stolen.

    $100 is a tip, compared to the the cost, not just in money, but in stress and time that people need to sink into fixing identity theft.

  7. Anonymous Coward
    Anonymous Coward

    The only thing massive companies understand is billion dollar fines

    Anything less than billion dollar fines is just the cost of doing business for unscrupulous companies.

  8. IglooDude

    This looks to me like a more specific version of GDPR, with significantly higher penalties. While GDPR itself doesn't become law until May, I'm aware of some companies (including mine) already making preparations. Why then the objection to this one that it is useless unless executives are directly exposed?

  9. Doctor Syntax Silver badge

    So they've finally begin to notice.

    I wonder how long it will take before they start to think in wider terms than credit reference agencies. I suppose there's a factor limiting that. Given the number of breaches with US Gov't agencies if they made it a blanket law they might have to build in exemptions for gov't and that mightn't look too good. It might even start the plebs thinking about all the data gov't collects and that could be a really scary outcome for them.

  10. This post has been deleted by its author

  11. Drew Scriver
    Alert

    The problem will remain until executives are personally liable

    The problem is not going to go away until executives can be personally prosecuted for gross negligence if it can be demonstrated that they willingly and knowingly failed to implement adequate security policies and programs.

    We keep hearing about employees in the trenches who flag security issues, only to have it go no-where. They often do this at their own peril and frequently it does not lead to an improvement in the company's security posture.

    In addition, we need be a public clearinghouse where customers can report security issues. That too should have some teeth. If a company fails to address a reported issue and it results in a breach, that should be grounds for meaningful penalties. In addition, some agency must have enforcement powers to go after companies that fail to fix reported issues. Any enforcement action should be made public.

    There should also be a timed trigger for publication of reports. Give a company some time to fix the issue and make it public after the deadline. No pulling punches here - let's use the PCI-DSS standard of one month (after patches are available) for CVEs that are rated 4 or higher.

    While I'm on the subject, the legislature needs to codify the meaning of "adequate security". As a starting point, maybe require PCI-DSS compliance as a baseline for all PII (not just credit cards) and also require adherence to the NIST security standards.

    Massachusetts tried to pass a bill to hold executives personally liable for security breaches, but I don't believe it became law.

    As for this proposed fine, as a rule of thumb, companies already assume that it will cost an average of $200 per breached account (direct and indirect costs). Some of that can even be mitigated by purchasing an insurance policy.

  12. Aodhhan

    Political crap

    Elizabeth Warren has been tossing out a lot of useless bills in an effort to get her face in front of a camera, and this proposed bill is no exception. Don't be shocked if she claims to have 'computer geek' heritage.

    Anyone with more then 2 years experience in IT can see it's a bunch of crap done half-hazardly. It's missing far too many things and doesn't hit details required and powers needed for a true "Information Security Tsar" office covering consumer information by businesses and organizations.

    Also, this bill addresses two very different things. An office and a penalty; with no policy in place.

    How about we first create the office/organization, then create policy, and finally create penalties.

    This way, experts who know what they are doing put something together. Not some lying politician who hopes to be president some day.

  13. Lion

    Lawmakers fail

    As this law is focused primarily on the credit bureaus and the way they create consumer databases and sell services based on that data, the bill should have addressed the cost that gets passed onto the victims when a breach occurs. Fines do not pay the victims a red cent. The costs can be in the thousands.

    Currently if the consumer has their data stolen, they are left with dealing with the consequences. Offering a 'free service' from the same company that lost the data in the first place, does not address the fact that harm has already been done and the costs that the individual must endure to clean up the mess. Also a victim has to prove that they have been harmed by the breach itself. Legal fees are not cheap.

    I can see a need to impose a fine on the company for a data breach and that should cover the government's investigation and administration costs with an ongoing fund for legal costs. That will effect the company's bottom line, but it will be specific to the situation. As far as punishment and deterrents for he company's leadership, the lawmakers should have introduced a felony charge that can be associated with this type of corporate indifference. The execs will need to deal with the prospect of having a criminal record and possible jail time. That will influence their behavior, attitude and vigilance.

    If the investigation determines harm has occurred, then the company is then responsible for covering the victim's financial costs. The company can not use their own service offerings for this.

    The bill that these 2 Senators have produced is ridiculous. It is obvious that a court challenge would render it absurd. The company would be absolved of the fines and and the wrong doers would walk away unscathed.

  14. Nimby
    FAIL

    The cost of ruining someone's life? $100

    You knew there would be attempts to change law after it happened, but this particular example falls sadly short of the mark.

    What's worse is that in this particular case was a company not with "customers" but with unsolicited worldwide non-optional data grabbing. If anything, the first law we need is to abolish the credit score trio and the second is to establish that any such replacement be specifically opt-in by design. And then we can start discussing the proper way to handle basic security practices and culpable negligence for any lack thereof, and the liability to those who made the decisions and approved of them within the corporate structure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like