-----Original Message-----
From: politech-bounces@xxxxxxxxxxxxxxx
[mailto:politech-bounces@xxxxxxxxxxxxxxx] On Behalf Of Declan
McCullagh
Sent: Thursday, June 30, 2005 12:14 AM
To: politech@xxxxxxxxxxxxxxx
Subject: [Politech] Preliminary analysis of new Specter-Leahy data
security
bill: opinions? [priv]
It's worth taking a close look at the new Specter-Leahy security
breach
bill -- introduced Wednesday -- because it's the most
comprehensive so
far and the leading candidate to be enacted into law this year. It's
even, at least in theory, going to be voted on in the Senate
Judiciary
committee on Thursday:
http://judiciary.senate.gov/meeting_notice.cfm?id=1555
The sections dealing with government use of databases seem generally
useful (though some loopholes exist, like the requirement that a
database is "primarily" of Americans before its use is covered --
look
for the FBI to start inserting random Mexican names to get around the
"primarily" requirement). So let's look at the private sector
components.
Bear with me as we get a little technical here...
Title III of the bill erects a complex regulatory scheme around any
"data broker." That's defined as a "business entity" that it's in the
regular business of "collecting, transmitting, or otherwise providing
personally identifiable information" of 5,000 or more people that are
not "customers" or "employees." Business entity is defined as any
organization, including a sole proprietorship, that's in the
business of
making money, or a non-profit group that isn't.
Well, Politech is a sole proprietorship -- I have some Google text
ads
on politechbot.com that make a princely $10-$15 or so a month. If
they
made more I wouldn't complain. And I'm pleased to say that the list
includes over 5,000 subscribers.
Do I "collect[]" personal information? 18 USC 1028(d)(7) defines
that as
"any name or number that may be used, alone or in conjunction with
any
other information, to identify a specific individual." Mailman gives
subscribers the option of typing in their name, and obviously I have
everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly
includes any
"unique electronic identification number, address, or routing
code" so
that seems to cover e-mail.
So that makes me a highly-regulated "data broker" unless I can
skate on
some other technicality. Again, I'm arguably in the business of
regularly "collecting" information from people are aren't
"customers" --
you don't buy anything frome me. Let's assume I can't escape the rule
and continue this walk-through.
If I am indeed a data broker, what must I do?
* "Clearly and accurately" disclose all relevant "personal electronic
records" (maintained for disclosure to third parties) about an
individual if he or she asks me.
* "Develop and publish" a set of "procedures for correcting
inaccurate
information."
* Offer to "investigate" "free of charge" any discrepancies.
* Provide an opportunity to insert a "100 word" notice of any
dispute.
If I don't, I can be sued and fined $1,000-$2,000 per violation
per day.
Title IV of the bill is far more exhausting. Any "business
entity" (that
term again) including a sole proprietorship that collects, accesses,
transmits, stores, or disposes of personal info in digital form on
over
10,000 U.S. persons must create a "data privacy and security
program."
Well, there are over 10,000 Politech subscribers, and that's an even
broader definition (no requirement that it be limited to non-
customers
or that the involvement be regular). So I'm likely covered. If that
happens, I must:
* "Implement a comprehensive personal data privacy and security
program"
* Create a "risk assessment" to "identify reasonably foreseeable"
vulnerabilities
* "Assess the likelihood" of security breaches
* "Assess the sufficiency" of my policies to protect against them
* Protect information by encrypting it
* Publish the "terms of such program"
* Do "regular testing of key controls" to test security
* Select only superior "service providers" after doing "due
diligence"
* Regularly "monitor, evaluate, and adjust" my security policies
If I don't, I can be fined up to $10,000 a day per violation.
Oh, and there's Title IV Subtitle B. It's pretty much the same
definition, and requires me to:
* In the case of a security breach of the Politech subscriber list, I
must notify the U.S. Secret Service and the state attorney general.
* And I must notify individual subscribers
* And I must notify consumer reporting agencies
* For individual subscribers, I must notify via physical mail to home
address, or if I can't, via telephone call to your home. There's no
provision for e-mail contact. But if I don't follow that procedures I
violate the law.
* I also must post this notice publicly on the Web and notify "major
media outlets"
If I don't follow those rules, I can be fined up to $10,000 a day per
violation -- and if I "willfully" conceal the security breach, I
can be
fined something like $250,000 and be imprisoned for up to five years.
I recognize that senators Specter and Leahy are trying to target
ChoicePoint and Acxiom and so on. But their bill, as written, does
not
appear to be written to include just those data warehouses. And given
that they've had months and (presumbly) very bright people
drafting it,
that makes me worried.
In fact, the definitions could cover, for instance, news
organizations
(many news sites arguably provide personal information on
thousands of
people, and People magazine's Web site certainly does). How about
popular blogs that have thousands of registered users? Search
engines?
Google's phone number finding service? Libraries? Email service
providers? Alumni organizations for schools? Charities, like
Golden Gate
National Parks Association? What about universities, especially in
terms
of all the applications they get? Sweepstakes companies? I wonder if
probable supporters of this bill -- like the ACLU and EPIC -- would
enjoy having to follow all these complicated procedures (with the
penalty of fines or prison terms if they don't).
I admit this is just my preliminary reading, but my sense is that
these
requirements will end up being another version of Sarbanes-Oxley,
with
the same destructive, wealth-eroding implications:
http://www.politechbot.com/2005/06/16/richard-rahn-on/
Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust
prosecutors' discretion" is not a useful one). If I'm right, how much
harm will be done in the name of "protecting privacy?"
-Declan
---
News article:
http://news.com.com/2100-7348_3-5769156.html
Text of legislation (Leahy's floor statement is below):
http://i.i.com.com/cnwk.1d/pdf/ne/2005/Specter-Leahy.pdf
Additional background material:
http://www.politechbot.com/docs/leahy.floor.statement.062905.txt
http://www.politechbot.com/docs/specter.leahy.sections.062905.doc
http://www.politechbot.com/docs/specter.leahy.summary.062905.doc
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)