
Elizabeth Warren's bill would fine the next Equifax for data breach - rectang
https://www.cnet.com/news/elizabeth-warren-equifax-mark-warner-credit-reporting-agencies-data-breach-bill-fines/
======
throwaway2016a
Data breaches are inevitable. Admittedly I haven't read the bill but I would
general be against something like this unless it provides rules for:

\- Securing your system (like PCI)

\- Training your employees

\- Disclosing a data breach in a timely way

AND if the company follows all the rules they are protected from the fines.

There is no reason why a company that does their absolute best to be secure
but falls vicim to a zero-day vulnerability should be treated the same way as
someone that was willfully negligent like Equifax.

If a company is willfully negligent (Equifax, Uber, and AshleyMadison are
notable examples) I think a fine is not enough. Revoking their license to do
business needs to be on the table as a maximum penalty in the most egregious
cases. I'm talking companies that try to hide the breach from the victims,
systematically underspend on security, etc.

Edit: As an aside, as someone who has done a number of startups in a CTO role.
Sometimes getting the board and upper management to agree on spending money on
security is like pulling teeth. A lot of startups end up getting to a 100,000
users without even thinking about security never mind putting appropriate
systems in place. Penalties for neglecting security would give CTOs powerful
ammunition to be able to invest in this critical area.

~~~
Retric
The advantage of a fine is you offload all the costs of enforcement from the
government to industry/ private insurance companies that underwrite the
industry. Adding yet more bureaucracy to maintain solid regulations is a real
cost, on the other hand you are going to need the same detection and
enforcement ether way. So, we might as well save the taxpayer money and simply
fine based on outcomes.

PS: It also simlifies the court cases as demstrating a data breach is more
straightforward than demonstrating a company followed all reasonable
precautions even though they failed.

~~~
throwaway2016a
I agree that is a real concern.

The disadvantage though is that thanks to zero-day vulnerabilities it means
anyone who runs a software company can get hit my lightning at any time. And
quite possibly through no fault of their own.

Though I suppose there could be insurance policies for that in the same way a
home contractor has insurance for if they fall off a ladder.

At the same time, sending an auditor to an office for a couple days to assess
their security readiness is cheaper for the tax payers than tying up the
courts if/when a large company disputes the fine.

~~~
zardo
Another possibility, is vendors that take responsibility for security flaws in
their hardware or software.

To take your contractor falling off a ladder analogy, the company that built
the ladder could be held partially liable for the flaw as well.

------
HenryBemis
Lobbying in USA has corrupted many values. Equifax is not a teenager child
that broke a vase and got a 2h-off-wifi penalty. They knowingly ignored basic
security practices to maximize gain.

Since basic risks were not addressed, Equifax (and anyone else showing this
level of neglect) should be severely punished.

~~~
bognition
I'm not sure they knowingly ignored best practices, it's probably more that
they were ignorant to them. I've personally meet with Chaos (chief security
officer) from fortune 50 companies who didn't have a clue what ACLs are, how
encryption works, or what an onion security model is.

A lot of these people have been in the game long enough that many best
practices we're invented after they stopped learning.

This is does not justify their behavior, rather it provides more context
around the a potential contributing cause.

~~~
nathantotten
I would assume that a CSO at a F500 company is mostly responsible for things
like budgeting, hiring, and high level strategy. I would think not knowing
these specifics is reasonable. What isn’t excusable though is these companies
ignoring advice from internal and external sources. Companies clearly make
deliberate budget choices by weighing risk/reward and a CSO at a big company
often rationally doesn’t make the right security choice because the risk is
small. IMO, bills like this are needed in order to force companies to properly
value the risk of bad security.

~~~
alphonsegaston
The idea that you can make high-level strategy choices about security without
intimate knowledge of that domain is what needs to go away. That kind of
thinking is the product of a business culture designed to keeping rich people
with MBAs employed over making sane decisions.

~~~
nathantotten
I think that's being a little extreme. I would guess that a CSO is typically
somebody who has the experience, but has worked their way up. It is natural
that as you progress in leadership in a company you become less knowledgeable
about the details. A good executive is somebody who can hire the right people
and listen to them. Somebody who has to know everything themselves is actually
dangerous in my opinion - they are ignorant of what they don't know, could be
unwilling to take advice, and may be inflexible about new ideas.

To clarify, I am not talking about a CSO at a 100 person startup. I am talking
about somebody like the CSO of equifax or Boeing which should have hundreds of
people reporting to them. They cannot possible know the specifics of
everything they secure.

------
g051051
Sadly, she seems to have a gross misunderstanding of the facts of the case, as
well as cybersecurity in general. There's essentially no chance of this being
passed, she's just showboating.

Key questions:

1\. Does this apply to all data aggregators, or just CRAs?

2\. Does it apply to government breaches, banks, individual businesses, etc?

3\. What additional oversight is going to be applied by the FTC that isn't
already happening as part of the vast amount of other regulations? How will it
protect consumers?

~~~
fortythirteen
Question 4: Where does the money from the fines go?

Her main regulatory creation was a whole new agency that is completely
unaccountable to the people it was supposed to serve. She's the last
politician I trust with these sorts of things.

~~~
lr4444lr
50% to the new Office of Cybertechnology, 50% to the victims of the breach.[0]

I don't think Ms. Warren really understands most of the issues in finance
she's often cited as a champion for, and dislike much about the CFPB, but this
new effort to put dedicated personnel around setting minimum security
standards and imposing civil penalties isn't too bad, as long as it doesn't
indemnify the bad actors for victims seeking individual damages.

[0][https://www.scribd.com/document/368838846/Data-Breach-
Preven...](https://www.scribd.com/document/368838846/Data-Breach-Prevention-
and-Compensation-Act-of-2018-Final)

~~~
fortythirteen
> the new Office of Cybertechnology

Wow, so Consumer Finance Protection Bureau 2.0. Unbelievable.

~~~
lr4444lr
That's a bit more cynical than I think the situation merits. Is it really so
bad to have at least a defined lower bound and enforcement mechanism for
prosecuting negligence in information security? Also, it will be under the
FTC, not a newly defined agency.

~~~
fortythirteen
Why must Democrats' answer to every problem be to create a wholly new
bureaucratic body, that will create its own regulations separate of the
legislative branch, and most likely get so bloated that it'll stifle
innovation within a few years?

~~~
acdha
That’s only how it works in right-wing propaganda. In the real world,
regulatory agencies closely follow the rules which Congress gives them. When
something is delegated to a regulator it’s because Congress didn’t want to
deal with it — fast changing, requires a lot of specialist research, etc.

That last is why you need an office in the first place: for problems which are
important enough to care, you need experts who are familiar with the field and
aren’t working for a party with an interest in the outcome. Experts like
having health insurance, paying their mortgages, etc. so you need to be able
to offer them jobs, somewhere for them to sit, funding to support research and
analysis, etc.

In terms more familiar to HN, your question is like asking why your company
needs an IT department when you can hire consultants. I mean, yes, you could
just let Gartner and Oracle tell the CEO what to do but it wouldn’t be
cheaper.

~~~
fortythirteen
> That’s only how it works in right-wing propaganda.

No, it's not. That's how it looks to everyone who has ever been on the
receiving end of a bureaucratic nightmare. I believe part of the reason the
Democrats have done so poorly in the last few years is because middle class
America wound up on the wrong side of Obamacare and it woke them up.

> In terms more familiar to HN, your question is like asking why your company
> needs an IT department when you can hire consultants.

No, it's like your company hiring an whole new, separate IT department, with
minimal oversight, every time they hire a new contractor, instead of training
up the existing IT team.

~~~
aaronbrethorst
That's weird, polling data shows a +12 point spread on favorability numbers
for the ACA[1].

What's interesting to me is that the ACA never had majority favorability until
repeal was legitimately on the table. And then all of a sudden people
"woke...up" as you put it to the idea that their 20-something year old
children could lose health insurance, or a person who had cancer years ago
could be denied coverage, or that an underemployed person in Kentucky could
lose their Medicaid-based health insurance.

Let's be clear: the ACA has a lot of problems. Some of these, like spiking
premiums this year, are due to the actions of the current Congress and
President. Some of these are due to a lack of real competition, which may have
been addressed if the law had included a public option buy-in[2]. Some of
these, like shitty exchange websites, are a real problem.

[1]
[https://www.realclearpolitics.com/epolls/other/obama_and_dem...](https://www.realclearpolitics.com/epolls/other/obama_and_democrats_health_care_plan-1130.html)

[2] Blame Joe Lieberman for this:
[https://www.publicintegrity.org/2015/02/16/16766/elimination...](https://www.publicintegrity.org/2015/02/16/16766/elimination-
public-option-threw-consumers-insurance-wolves)

~~~
fortythirteen
> polling data shows a +12 point spread on favorability numbers for the ACA

Here's the page where they show all the polls used to collect this
"summary"[0]. Interesting that the vast majority of them show "against"
strongly winning.

The PPD poll giving +18 for ACA shows that 49% want to impeach Trump, but
conspicuously doesn't ask party affiliation. That's a huge red flag of a
stacked poll.

[0]
[https://www.realclearpolitics.com/epolls/other/obama_and_dem...](https://www.realclearpolitics.com/epolls/other/obama_and_democrats_health_care_plan-1130.html#polls)

~~~
aaronbrethorst
Here, let me quote myself: _What 's interesting to me is that the ACA never
had majority favorability until repeal was legitimately on the table._

Also, best of luck with your poll unskewing. I had thought that the legitimacy
of that ship had sailed all the way back in 2012. Guess not.

~~~
fortythirteen
So you actually believe that 49% of Americans actively want Trump impeached
now?

~~~
aaronbrethorst
Why are you fixated on PPP? You're better off looking at aggregate polling
data. That's what I'm talking about with the ACA.

~~~
fortythirteen
> Why are you fixated on PPP?

For one, it's the latest poll, and you're fixated on a recent change in
opinion on ACA.

Secondly, an aggregate of what? Once you have bad data in the mix, especially
one that skews +18 in one direction, your aggregate is skewed as well. And
that aggregate has half a dozen PDP polls in it alone.

~~~
aaronbrethorst
Again: _What 's interesting to me is that the ACA never had majority
favorability until repeal was legitimately on the table._

Have a nice day.

~~~
fortythirteen
And again: your supposition that it has majority favorability is based on
polls that are suspect.

Have a good one.

------
willvarfar
I bumped into this talk today: Frank Abagnale: "Catch Me If You Can"
[https://www.youtube.com/watch?v=vsMydMDi3rI](https://www.youtube.com/watch?v=vsMydMDi3rI)

He became an FBI agent and works with data breaches. So after entertainingly
describing his life story he does mention the Equifax breach at the 37m mark.

He paints a very negative picture of Equifax.

Its well worth watching the whole thing, and not just skipping to his FBI
Agent opinion of Equifax.

------
cmiles74
From the article:

"The agencies already comply with the same rigorous data protection standards
as banks," said Francis Creighton, President and CEO of the Consumer Data
Industry Association, which represents Equifax as well as Experian and
TransUnion.

Well, clearly it's not all that rigorous.

~~~
mLuby
US Banks are laughably insecure. They get away with it because they can undo
most of their mistakes by calling up fellow banks and reversing transactions.
It works because the asset (money) is still in a system they control, as a
group.

With data breaches, there is no undo because the asset (data) moves outside a
system the breached parties control.

------
twoodfin
I’d rather attack this from the other side: There will always be large
aggregations of semi-public consumer data, and there will always be
breaches... unless we make that data less valuable for criminal enterprises.

Increase the penalties for banks and other institutions that issue fraudulent
credit or otherwise fail to properly identify and authenticate the consumers
with whom they’re doing business. Simply having the details of my credit
report and my Social Security number should not be enough to open a bank
account in my name.

~~~
crispyambulance
It is perfectly reasonable to WISH that a couple of flimsy pieces of
information cannot be used for identify theft and fraud. Maybe in the next few
decades we will modernize such things?

Until then, however, if companies like Equifax are going to deign to hold
sensitive information on behalf of THE PUBLIC and profit of of that, they had
better take responsibility for it or face consequences if they fail.

------
rectang
This legislation isn't my preferred solution, but at least it has its
priorities right. Nothing gets me more ticked off than hearing that the myriad
individual human tragedies arising from the misaligned incentives of the
credit rating industry are an unsolvable problem. Heck, in moments of
intemperance, I've yearned for vigilante hackers to take revenge for the
victims of identity theft since no one else will, and I know I'm not alone.

~~~
bmelton
So, what _is_ your preferred solution?

------
dandermotj
In the EU we have the incoming GDPR to legislate for (and penalise) data
breaches like this. This directive is very clear and detailed on how data
should be collected, securely stored and disposed of. US law is a decade
behind the EU.

~~~
mtremsal
To be fair, the GDPR extends to any company that processes personal
information from EU subjects. It is raising the bar for most US companies.

------
mxuribe
Even if this is not the ideal solution, or even if this is too much like a
hammer where a more surgical approach would be best...this is a start and
certainly better than nothing. These types of breaches can be so harmful, and
have such far reaching ramifications that we need _something_ \- almost
anything here!

------
patrickaljord
If I use a third party to store my clients information and that this third
party gets hacked, my clients would be suing me for choosing a bad third party
and losing their data. I don't understand why people aren't suing the
government in this case instead of picking on Equifax or am I missing
something?

~~~
g051051
> my clients would be suing me for choosing a bad third party and losing their
> data.

And their cases would be tossed out of court for being meritless.

------
sol_remmy
If people are victimized then why does the money from the fine go to the
government?

I would prefer receiving a $50 check in the mail from a class action lawsuit.
All this does is add more money to gov't coffers

------
thinkMOAR
So when a data breach happens at a government body, who will be fined?

------
exabrial
Are they _not_ being fined?

------
rufusroflpunch
I hate the idea of regulatory agencies fining anyone for anything. Why should
the agency/government get revenue from someone's failure? The purpose of
courts is to assign damages, that's the whole reason courts exist. If the
courts aren't able to do their only job, then work on fixing that instead of
creating yet another agency.

~~~
allworknoplay
It covers the cost of creating enforcement agencies that can actually be
effective.

