:)
>-----Original Message-----
>From: politech-bounces at politechbot.com
>[mailto:politech-bounces at politechbot.com] On Behalf Of Declan
>McCullagh
>Sent: Thursday, June 30, 2005 12:14 AM
>To: politech at politechbot.com
>Subject: [Politech] Preliminary analysis of new Specter-Leahy data
>security
>bill: opinions? [priv]
>
>It's worth taking a close look at the new Specter-Leahy security
>breach
>bill -- introduced Wednesday -- because it's the most comprehensive so
>far and the leading candidate to be enacted into law this year. It's
>even, at least in theory, going to be voted on in the Senate Judiciary
>committee on Thursday:
>http://judiciary.senate.gov/meeting_notice.cfm?id=1555
>
>The sections dealing with government use of databases seem generally
>useful (though some loopholes exist, like the requirement that a
>database is "primarily" of Americans before its use is covered -- look
>for the FBI to start inserting random Mexican names to get around the
>"primarily" requirement). So let's look at the private sector
>components.
>
>Bear with me as we get a little technical here...
>
>Title III of the bill erects a complex regulatory scheme around any
>"data broker." That's defined as a "business entity" that it's in the
>regular business of "collecting, transmitting, or otherwise providing
>personally identifiable information" of 5,000 or more people that are
>not "customers" or "employees." Business entity is defined as any
>organization, including a sole proprietorship, that's in the
>business of
>making money, or a non-profit group that isn't.
>
>Well, Politech is a sole proprietorship -- I have some Google text ads
>on politechbot.com that make a princely $10-$15 or so a month. If they
>made more I wouldn't complain. And I'm pleased to say that the list
>includes over 5,000 subscribers.
>
>Do I "collect[]" personal information? 18 USC 1028(d)(7) defines
>that as
>"any name or number that may be used, alone or in conjunction with any
>other information, to identify a specific individual." Mailman gives
>subscribers the option of typing in their name, and obviously I have
>everyone's email addresses. 18 USC 1028(d)(7)(C) explicitly
>includes any
>"unique electronic identification number, address, or routing code" so
>that seems to cover e-mail.
>
>So that makes me a highly-regulated "data broker" unless I can
>skate on
>some other technicality. Again, I'm arguably in the business of
>regularly "collecting" information from people are aren't
>"customers" --
>you don't buy anything frome me. Let's assume I can't escape the rule
>and continue this walk-through.
>
>If I am indeed a data broker, what must I do?
>
>* "Clearly and accurately" disclose all relevant "personal electronic
>records" (maintained for disclosure to third parties) about an
>individual if he or she asks me.
>* "Develop and publish" a set of "procedures for correcting inaccurate
>information."
>* Offer to "investigate" "free of charge" any discrepancies.
>* Provide an opportunity to insert a "100 word" notice of any dispute.
>
>If I don't, I can be sued and fined $1,000-$2,000 per violation per
>day.
>
>Title IV of the bill is far more exhausting. Any "business
>entity" (that
>term again) including a sole proprietorship that collects, accesses,
>transmits, stores, or disposes of personal info in digital form on
>over
>10,000 U.S. persons must create a "data privacy and security program."
>
>Well, there are over 10,000 Politech subscribers, and that's an even
>broader definition (no requirement that it be limited to non-customers
>or that the involvement be regular). So I'm likely covered. If that
>happens, I must:
>
>* "Implement a comprehensive personal data privacy and security
>program"
>* Create a "risk assessment" to "identify reasonably foreseeable"
>vulnerabilities
>* "Assess the likelihood" of security breaches
>* "Assess the sufficiency" of my policies to protect against them
>* Protect information by encrypting it
>* Publish the "terms of such program"
>* Do "regular testing of key controls" to test security
>* Select only superior "service providers" after doing "due diligence"
>* Regularly "monitor, evaluate, and adjust" my security policies
>
>If I don't, I can be fined up to $10,000 a day per violation.
>
>Oh, and there's Title IV Subtitle B. It's pretty much the same
>definition, and requires me to:
>
>* In the case of a security breach of the Politech subscriber list, I
>must notify the U.S. Secret Service and the state attorney general.
>* And I must notify individual subscribers
>* And I must notify consumer reporting agencies
>* For individual subscribers, I must notify via physical mail to home
>address, or if I can't, via telephone call to your home. There's no
>provision for e-mail contact. But if I don't follow that procedures I
>violate the law.
>* I also must post this notice publicly on the Web and notify "major
>media outlets"
>
>If I don't follow those rules, I can be fined up to $10,000 a day per
>violation -- and if I "willfully" conceal the security breach, I
>can be
>fined something like $250,000 and be imprisoned for up to five years.
>
>I recognize that senators Specter and Leahy are trying to target
>ChoicePoint and Acxiom and so on. But their bill, as written, does not
>appear to be written to include just those data warehouses. And given
>that they've had months and (presumbly) very bright people drafting
>it,
>that makes me worried.
>
>In fact, the definitions could cover, for instance, news organizations
>(many news sites arguably provide personal information on thousands of
>people, and People magazine's Web site certainly does). How about
>popular blogs that have thousands of registered users? Search engines?
>Google's phone number finding service? Libraries? Email service
>providers? Alumni organizations for schools? Charities, like Golden
>Gate
>National Parks Association? What about universities, especially in
>terms
>of all the applications they get? Sweepstakes companies? I wonder if
>probable supporters of this bill -- like the ACLU and EPIC -- would
>enjoy having to follow all these complicated procedures (with the
>penalty of fines or prison terms if they don't).
>
>I admit this is just my preliminary reading, but my sense is that
>these
>requirements will end up being another version of Sarbanes-Oxley, with
>the same destructive, wealth-eroding implications:
>http://www.politechbot.com/2005/06/16/richard-rahn-on/
>
>Perhaps I'm wrong. I'd welcome responses (and "don't worry, trust
>prosecutors' discretion" is not a useful one). If I'm right, how much
>harm will be done in the name of "protecting privacy?"
>
>-Declan