The U.S. Federal Government has decided that it is time to take personal data privacy and security which on the surface sounds like a noble. This leads to the question, is the Federal Government capable of instituting the details, or is the private sector better equipped to handle the job?
To understand the severity of cybercrime all you have to do is look at the Sony and the PlayStation attack earlier this year. When you frame the discussion in the context of the attack on Sony, Central Intelligence Agency (CIA), and Booz Allen Hamilton the issue begins to take shape and defines the problems that can arise in terms of consumer confidence, national security, and of course profit.
Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers.
Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis.
Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.
Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act.
Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches.
Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies.
Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.
Reaction and Thoughts
Within the first 12 pages of this proposed bill the punishment is outlined to the extent that that anyone who has knowledge of a breach in security and hides this fact can be punished under the law. Furthermore, this breach is defined as economic impact to one or more individuals, which results in a fine or imprisonment for no more than five years with authority given to the United States Secret Service for investigations.
Those entities that are collecting data on individuals will have to institute measures where an individual can request the data they have collected and the broker my turn this information over to the requester all at a reasonable cost. This is a positive step however how many data brokers are out there? For example, say you conduct business with Google and Microsoft would a $25.00 fee be reasonable? Now consider that you also have a Facebook, FourSquare, Twitter, and any other of numbered services you may utilize then you begin to see that you can spend hundreds of dollars for such a request when it is all said and done. Could the answer reside in the credit reporting model where there are a limited number of agencies?
Remember that pesky financial penalty I eluded to earlier? This penalty comes in at $1,000.00 per violation and for every day that the violation is not corrected. So if you have five violations and it takes fourteen days to resolve the issue the price tag comes in at $70,000.00 and twenty-eight days would result in $140,000.00 in fines. The good news is there is a cap of $250,000.00 per violation but this will be an expensive lesson to business should they find themselves in this precarious position.
If this is not enough to get business to take security seriously and invest then I am not sure what other incentives may help.
In today’s political environment, one could make the argument that the government has our best interest at heart and I believe at the end of the day the government is doing the best possible job to provide a level of protection. On the other hand, with the state of the national debt one could argue that this is a way to generate revenue. In either case, it is clear that cyber security is paramount to protecting this great nation and its citizens.
- Personal Data Privacy and Security Act of 2011
- Applying Information Security and Privacy Principles
- Congress wants answers from Sony on PlayStation hack
- August 2011 Cyber Attacks Timeline