new bill that would jail executives for not stoppi
Post# of 82687
(Total Views: 371)
Posted On: 12/04/2018 9:05:23 PM
new bill that would jail executives for not stopping some data breaches goes too far.
By Josephine WolffDec. 4, 2018 7:40 PM
The news that the personal data of 500 million Marriott customers was stolen broke less than a week ago, so it’s a good moment to be trying to capitalize on it to build support for more aggressive security policies. In a week or two, the Marriott breach will be old news and that momentum will almost certainly have evaporated, but in the meantime, Sen. Ron Wyden has released a discussion draft of a new bill, the Consumer Data Protection Act, aimed at ramping up the penalties imposed on companies, like Marriott, that suffer these types of massive breaches.
Advertisement
The CDPA draft gets a lot of things right about cybersecurity breaches—it is absolutely true that there are insufficient penalties for failing to protect customer data, that the Federal Trade Commission is not able to impose significant fines on breached companies and does not have adequate resources to investigate every major breach, and that the lack of clear-cut minimum-security standards for organizations storing personal information makes it all the harder to sort out these liability issues. But while Wyden’s office does a good job articulating the problems surrounding breaches like Marriott’s, the proposed solutions are less promising.
The most eye-catching piece of the proposed draft is a provision that would allow for executives who knowingly sign off on incorrect or inaccurate annual certifications of their companies’ data-security practices to face prison sentences of up to 20 years. In a largely sensible bill, this is a wild overreaction—and one that in no way helps companies struggling to figure out how to do a better job protecting sensitive data.
The presumption of the jail-time penalty seems to be that one of the big problems in security today is that executives are constantly lying about how good their data security is and they are not sufficiently fearful of the consequences of breaches to invest
By Josephine WolffDec. 4, 2018 7:40 PM
The news that the personal data of 500 million Marriott customers was stolen broke less than a week ago, so it’s a good moment to be trying to capitalize on it to build support for more aggressive security policies. In a week or two, the Marriott breach will be old news and that momentum will almost certainly have evaporated, but in the meantime, Sen. Ron Wyden has released a discussion draft of a new bill, the Consumer Data Protection Act, aimed at ramping up the penalties imposed on companies, like Marriott, that suffer these types of massive breaches.
Advertisement
The CDPA draft gets a lot of things right about cybersecurity breaches—it is absolutely true that there are insufficient penalties for failing to protect customer data, that the Federal Trade Commission is not able to impose significant fines on breached companies and does not have adequate resources to investigate every major breach, and that the lack of clear-cut minimum-security standards for organizations storing personal information makes it all the harder to sort out these liability issues. But while Wyden’s office does a good job articulating the problems surrounding breaches like Marriott’s, the proposed solutions are less promising.
The most eye-catching piece of the proposed draft is a provision that would allow for executives who knowingly sign off on incorrect or inaccurate annual certifications of their companies’ data-security practices to face prison sentences of up to 20 years. In a largely sensible bill, this is a wild overreaction—and one that in no way helps companies struggling to figure out how to do a better job protecting sensitive data.
The presumption of the jail-time penalty seems to be that one of the big problems in security today is that executives are constantly lying about how good their data security is and they are not sufficiently fearful of the consequences of breaches to invest
(0)
(0)