looks like IP may suffer also

[David Farber <dave () farber net>]

> -----Original Message-----
> From: politech-bounces () politechbot com
> [mailto:politech-bounces () politechbot com] On Behalf Of Declan  
> McCullagh
> Sent: Thursday, June 30, 2005 12:14 AM
> To: politech () politechbot com
> Subject: [Politech] Preliminary analysis of new Specter-Leahy data  
> security
> bill: opinions? [priv]
>
> It's worth taking a close look at the new Specter-Leahy security  
> breach
> bill -- introduced Wednesday -- because it's the most comprehensive so
> far and the leading candidate to be enacted into law this year. It's
> even, at least in theory, going to be voted on in the Senate Judiciary
> committee on Thursday:
> http://judiciary.senate.gov/meeting_notice.cfm?id=1555
>
> The sections dealing with government use of databases seem generally
> useful (though some loopholes exist, like the requirement that a
> database is "primarily" of Americans before its use is covered -- look
> for the FBI to start inserting random Mexican names to get around the
> "primarily" requirement). So let's look at the private sector  
> components.
>
> Bear with me as we get a little technical here...
>
> Title III of the bill erects a complex regulatory scheme around any
> "data broker." That's defined as a "business entity" that it's in the
> regular business of "collecting, transmitting, or otherwise providing
> personally identifiable information" of 5,000 or more people that are
> not "customers" or "employees." Business entity is defined as any
> organization, including a sole proprietorship, that's in the  
> business of
> making money, or a non-profit group that isn't.
>
> Well, Politech is a sole proprietorship -- I have some Google text ads
> on politechbot.com that make a princely $10-$15 or so a month. If they
> made more I wouldn't complain. And I'm pleased to say that the list
> includes over 5,000 subscribers.
>
> Do I "collect[]" personal information? 18 USC 1028(d)(7) defines  
> that as
> "any name or number that may be used, alone or in conjunction with any
> other information, to identify a specific individual." Mailman gives
> subscribers the option of typing in their name, and obviously I have
> everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly  
> includes any
> "unique electronic identification number, address, or routing code" so
> that seems to cover e-mail.
>
> So that makes me a highly-regulated "data broker" unless I can  
> skate on
> some other technicality. Again, I'm arguably in the business of
> regularly "collecting" information from people are aren't  
> "customers" --
> you don't buy anything frome me. Let's assume I can't escape the rule
> and continue this walk-through.
>
> If I am indeed a data broker, what must I do?
>
> * "Clearly and accurately" disclose all relevant "personal electronic
> records" (maintained for disclosure to third parties) about an
> individual if he or she asks me.
> * "Develop and publish" a set of "procedures for correcting inaccurate
> information."
> * Offer to "investigate" "free of charge" any discrepancies.
> * Provide an opportunity to insert a "100 word" notice of any dispute.
>
> If I don't, I can be sued and fined $1,000-$2,000 per violation per  
> day.
>
> Title IV of the bill is far more exhausting. Any "business  
> entity" (that
> term again) including a sole proprietorship that collects, accesses,
> transmits, stores, or disposes of personal info in digital form on  
> over
> 10,000 U.S. persons must create a "data privacy and security program."
>
> Well, there are over 10,000 Politech subscribers, and that's an even
> broader definition (no requirement that it be limited to non-customers
> or that the involvement be regular). So I'm likely covered. If that
> happens, I must:
>
> * "Implement a comprehensive personal data privacy and security  
> program"
> * Create a "risk assessment" to "identify reasonably foreseeable"
> vulnerabilities
> * "Assess the likelihood" of security breaches
> * "Assess the sufficiency" of my policies to protect against them
> * Protect information by encrypting it
> * Publish the "terms of such program"
> * Do "regular testing of key controls" to test security
> * Select only superior "service providers" after doing "due diligence"
> * Regularly "monitor, evaluate, and adjust" my security policies
>
> If I don't, I can be fined up to $10,000 a day per violation.
>
> Oh, and there's Title IV Subtitle B. It's pretty much the same
> definition, and requires me to:
>
> * In the case of a security breach of the Politech subscriber list, I
> must notify the U.S. Secret Service and the state attorney general.
> * And I must notify individual subscribers
> * And I must notify consumer reporting agencies
> * For individual subscribers, I must notify via physical mail to home
> address, or if I can't, via telephone call to your home. There's no
> provision for e-mail contact. But if I don't follow that procedures I
> violate the law.
> * I also must post this notice publicly on the Web and notify "major
> media outlets"
>
> If I don't follow those rules, I can be fined up to $10,000 a day per
> violation -- and if I "willfully" conceal the security breach, I  
> can be
> fined something like $250,000 and be imprisoned for up to five years.
>
> I recognize that senators Specter and Leahy are trying to target
> ChoicePoint and Acxiom and so on. But their bill, as written, does not
> appear to be written to include just those data warehouses. And given
> that they've had months and (presumbly) very bright people drafting  
> it,
> that makes me worried.
>
> In fact, the definitions could cover, for instance, news organizations
> (many news sites arguably provide personal information on thousands of
> people, and People magazine's Web site certainly does). How about
> popular blogs that have thousands of registered users? Search engines?
> Google's phone number finding service? Libraries? Email service
> providers? Alumni organizations for schools? Charities, like Golden  
> Gate
> National Parks Association? What about universities, especially in  
> terms
> of all the applications they get? Sweepstakes companies? I wonder if
> probable supporters of this bill -- like the ACLU and EPIC -- would
> enjoy having to follow all these complicated procedures (with the
> penalty of fines or prison terms if they don't).
>
> I admit this is just my preliminary reading, but my sense is that  
> these
> requirements will end up being another version of Sarbanes-Oxley, with
> the same destructive, wealth-eroding implications:
> http://www.politechbot.com/2005/06/16/richard-rahn-on/
>
> Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust
> prosecutors' discretion" is not a useful one). If I'm right, how much
> harm will be done in the name of "protecting privacy?"
>
> -Declan
>
> ---
>
> News article:
> http://news.com.com/2100-7348_3-5769156.html
>
> Text of legislation (Leahy's floor statement is below):
> http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf
>
> Additional background material:
> http://www.politechbot.com/docs/leahy.floor.statement.062905.txt
> http://www.politechbot.com/docs/specter.leahy.sections.062905.doc
> http://www.politechbot.com/docs/specter.leahy.summary.062905.doc
> _______________________________________________
> Politech mailing list
> Archived at http://www.politechbot.com/
> Moderated by Declan McCullagh (http://www.mccullagh.org/)


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/