Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Privacy Technology

Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches (theverge.com) 276

On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."
This discussion has been archived. No new comments can be posted.

Elizabeth Warren Introduces Bill That Could Hold Tech Execs Responsible For Data Breaches

Comments Filter:
  • by cayenne8 ( 626475 ) on Wednesday April 03, 2019 @03:34PM (#58380376) Homepage Journal
    ...like maybe pass laws in the US, that stipulate that the individual citizens' data belongs to THEM and that they must opt IN in order for companies to collect and use in any manner, their data?

    Roll it up in online and maybe expanded individual privacy rights? The right to be forgotten? Banning shadows accounts (facebook) on people that never even joined your system/applicaiton/social media...?

    Now something like that might actually be healthy and helpful to the average US citizen....

    • The only way something like that would work is if it comes with a crap ton of regulators to enforce it. Which, I don't consider a bad thing, but in today's political climate of deregulation, do you honestly see that passing?

      • Given the current climate in the Senate, I struggle to come up with an idea for *any* bill to benefit voters that would need 60 votes to pass.
    • Worthless (Score:3, Informative)

      EU did this with their data protection act. The result was that every time you opened Google or any other Google service that a banner popped up telling you to authorize them to do whatever they were doing without your consent to that point. If you didn't confirm, you couldn't use any Google service anymore. Imagine telling that to your boss if work needs to be done...

      • by AmiMoJo ( 196126 )

        Actually no, that would not comply with GDPR and is not what Google does.

        Under GDPR it is not allowed to tie provision of services use of personal data that is not essential to providing said services. In other words you can't be forced to agree to non-essential processing just to use Google search.

        Google displays a box asking you to review your privacy settings. If you ignore it, they legally can't use your data for non-essential purposes. It has to be opt-in. Eventually they will create a pop-over, but yo

    • by rsilvergun ( 571051 ) on Wednesday April 03, 2019 @07:25PM (#58381462)
      You care about privacy to protect what you have, and what you have gets less and less every year.

      This isn't a shot at tech companies. She just did that so it's harder to criticize her (after all, the tech companies just love liberals). No, this is a shot at the folks who crashed the economy in 2008. After that working class Americans lost trillions in wealth. That wealth wasn't destroyed, it was pocketed by the rich. It was the single biggest wealth transfer in my life. Maybe in history.

      The trouble here is we focus to much on how Facebook knows what color car we like best or our favorite restaurant and not enough on the massive wealth grab that happens every 10 years when corrupt businessmen and politicians crash the economy and then buy up our assets at rock bottom prices while we're laid off.
    • by jbn-o ( 555068 )

      Your comments are doubly inactionable. You suggest that the proposed legislation is not useful but you don't say why you think it is not useful. And you don't write up legislation for your congressmembers that would implement what you think is useful. Lobby groups are well known to write legislation for Congress to pass; you should take your ideas and put them into language that can get passed (the legal equivalent of "code or ..." minus the foul language and telling people to not participate in free speech

  • About time! (Score:4, Insightful)

    by EzInKy ( 115248 ) on Wednesday April 03, 2019 @03:34PM (#58380378)

    Awesome. Somebody needs to be held responsible.

    • Awesome. Somebody needs to be held responsible.

      Yeah, never mind whether the guy held responsible had anything to do with the crime...

      Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.

      • Awesome. Somebody needs to be held responsible.

        Yeah, never mind whether the guy held responsible had anything to do with the crime...

        Note that most CEO's, while they may be responsible for the decision to gather massive amounts of data, aren't actually writing code, so holding them responsible for bad code is...questionable.

        The CEO is responsible to the stockholders. If the company gets rocked a bit by the number one guy going to jail, maybe getting a new boyfriend while there - they might have something to say about it.

  • Waitaminute (Score:4, Funny)

    by cahuenga ( 3493791 ) on Wednesday April 03, 2019 @03:36PM (#58380396)
    You can't treat us like people!
  • by alvinrod ( 889928 ) on Wednesday April 03, 2019 @03:38PM (#58380416)
    This won't pass anyway, but even if it did what's really going to change if we can't enforce existing laws against executives when they perpetuate fraud or break other laws?

    If you really want to make companies care about security and data privacy, make it easier for consumers to sue companies in civil court for these kinds of breaches. Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.
    • Companies care far more about threats to their bottom line, and are going to respond far more quickly to things which threaten it.

      Equifax says "Hi", and would like to remind you that they exist. Also, they made way more money by not paying for decent security than they lost in fines and lawsuits.

  • by EvilSS ( 557649 ) on Wednesday April 03, 2019 @03:41PM (#58380438)
    Meet the CDBSO: Chief Data Breach Sacrificial Officer! Selected from the working peons, the CDBSO is catapulted from his labors in the basement IT room to the top floor with a plush closet and low 5 figure salary! Should a data breach occur, the CDBSO will lead the charge... sheet in a federal indictment.
  • shes got my vote (Score:2, Interesting)

    by Anonymous Coward

    it about time someone proposed a bill like this.

  • They hold more data on people than anyone on government computers. and they have proven they can be hacked. (OPM, etc.)
    They should be required to take just as much care of it than any business. And they should face the same penalties. Maybe even retired Execs on whose watch systems stagnated for 10 or more years.

  • by SlaveToTheGrind ( 546262 ) on Wednesday April 03, 2019 @03:55PM (#58380528)

    All successful legislation has some sort of memorable/cute/catchy acronym. "CEA" just doesn't cut the mustard. Something like the Corporate Responsibility After Pwnage Act would have had a much better shot.

  • by magzteel ( 5013587 ) on Wednesday April 03, 2019 @04:52PM (#58380846)

    How about instead she proposes the "Politian Accountability Act"?

    "The Politician Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" politicians when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when politicians oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."

  • SARBOX makes executives personally responsible for the accuracy of the financial data they put out. This has made them get serious about the source of that financial data within their own company. Maybe a bill like this would help with privacy the same way.
  • A common problem with laws like this is it's hard to write legal verbiage precisely enough to have teeth yet not be so specific that it leaves work-arounds and loopholes.

    If you use generalizations and leave interpretation to judges and juries, they'll confuse it every which way, often depending on the manipulation prowess of the lawyers involved.

    It may do nothing but make lawyers rich and everybody else confused.

  • This does nothing but shift the blame from the Hackers to the Execs while doing jack shit to address the issue. What the Government needs to do is introduce a National Data Security Standard and most likely an Agency to work with Universities and the Industry to Draft that standard as well as be proved a means of oversight and enforcement. The Government should also provide free tools, services and libraries that the public can use to secure their data in accordance to those standards. But I fear that anyth
  • Is there any candidate who both isn't corrupt and NOT an obnoxious rabid zealot?

    the term 'covered corporation' means a corporation that generates more than $1,000,000,000 in revenue on an annual basis

    Why should how much a company makes dictate CRIMINAL liability of executive officers? Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa? Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?

    Making law that targets people you don't like so s

    • by jeff4747 ( 256583 ) on Wednesday April 03, 2019 @09:15PM (#58381852)

      Why should how much a company makes dictate CRIMINAL liability of executive officers?

      Because such a company has sufficient resources to actually fix the security holes identified by their security team.

      Also, plain-ol' negligence gets the job done on smaller companies. Larger ones just factor the cost of fines and/or lawsuits into the decision.

      Why should during an off-year when yearly revenues dip below some magic threshold the same executive officer have less CRIMINAL liability or vis versa?

      Such line-crossing is not all that common. And you have to have some line to differentiate between a Mom-and-Pop and Equifax.

      Why should executive officer of a small million dollar company have less CRIMINAL liability for the same exact behavior as a larger company?

      The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business. Executives at larger companies (there's a reason I cited Equifax above) aren't.

      Leave it to the lawyers to keep trying to make everyone liable for something even if they had nothing to do with it.

      You should probably learn a bit about the concept of Negligence before commenting.

      "We got hacked" isn't negligence. "Sir, There's a massive security hole here!", "I don't want to spend the money to fix it" is. The executives are in charge of making such a decision. That's why they get the big bucks.

      Nice a law that turns arbitrary uncategorized unspecified civil violations into criminal ones.

      Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.

      • Because such a company has sufficient resources to actually fix the security holes identified by their security team.

        This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.

        The smaller company is usually restrained by the danger of lawsuits - they could actually destroy the business

        What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?

        You should probably learn a bit about the concept of Negligence before commenting.

        Negligence is whatever you can convince a judge and or jury negligence is.

        "We got hacked" isn't negligence.

        You're a big company you get hacked you get fined and sued no matter what the facts of the situation is. You could be fully compliant with whatever security standards exist and it won't do you a lick of good.

        Well, the fine executives over at ol' Equifax decided it was cheaper to just keep the security holes in place, and paid a pittance in civil liability.

        Is this suppose

        • by jeff4747 ( 256583 ) on Wednesday April 03, 2019 @10:04PM (#58381958)

          This is completely absurd on its face. It doesn't take a billion dollars of revenue a year to do this.

          So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.

          The line is drawn here such that these regulations would only affect very large companies. Because it's those very large companies that are not being reined in by plain-ol' negligence lawsuits.

          What is the relationship between effect of lawsuits on company and sending people to jail for CIVIL liability?

          The lawsuits are ineffective at getting very large corporations to care.

          Let me put it this way: In a lawsuit, you can recover the value of what you lost. Someone destroys your car, you can sue and get the value of your car.

          I was affected by the Equifax hack. Legally, the value lost to me in that hack is $0.

          I am not a party to any transactions where that data has value (Equifax and it's customers), so I'm not out any money. "Someone may commit credit card fraud in the future" is not a basis for winning a lawsuit. If someone actually did commit credit card fraud, I would have to prove the data came from the Equifax hack and not, say, the Blue Cross hack where my data was also stolen. And that's not possible due to all the middlemen involved in getting that data to the people who actually commit fraud.

          At best, I could demand Equifax pay for credit monitoring for some very limited period of time. And since Equifax already provides that service, they are out a very trivial amount of money - it costs them almost nothing to turn on the monitoring software they already have.

          Which means civil liability provides exactly zero disincentive to Equifax's executives.

          Negligence is whatever you can convince a judge and or jury negligence is.

          Nope, it has an actual legal definition.

          You're a big company you get hacked you get fined and sued no matter what the facts of the situation is.

          And as I demonstrated above, the cost of those fines and lawsuits is negligible, and thus provides no disincentive for being negligent.

          Heck, golden parachutes mean there's virtually no incentive for executives to avoid negligence even if fines were astronomical. They'd still make a ton of money before the shit hit the fan, and the shit hitting the fan is zero impediment for getting a new job (Hi Bob Nardeli!)

          • Negligence is whatever you can convince a judge and or jury negligence is.

            Nope, it has an actual legal definition.

            A legal definition whose outcome rests primarily on what a "reasonable person" would do.

            So, not familiar with the concept of "revenue" then? 'Cause revenue is not operating budget.

            In effect you are making fun of yourself. You were the one who originally asserted a relationship between revenue and operating budget when you said "such a company has sufficient resources to actually fix the security holes"

            The point I was making is clear to any reasonable person. You don't need to be making a billion dollars a year to have the resources to "actually fix security holes identified by their security tea

  • by kenh ( 9056 )

    Define "negligent" executives - is it "negligent" to hire a competent staff, but the staff makes a mistake?

    • is it "negligent" to hire a competent staff, but the staff makes a mistake?

      Nope.

      It is negligent to hire a competent staff, have that staff warn you about security issues, and you decide to save money by not fixing them.

      The more difficult line to draw is just how incompetent does your staff need to be before it's negligence. But that's what judges and juries are for.

  • I'm all for this bill to be honest.

    This is how the military operates. Take a ship for example.

    If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
    If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
    ( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )

    You don't get to blame it on a scapegoat.

    • If you are the Commanding Officer of a ship, then everything about that ship is ultimately your responsibility. Good or bad.
      If something stupid happens it's YOUR fault because there is likely something YOU could have done to prevent it.
      ( Be it better training for your crew, better judgement from your Officers, knowing everything about your ship inside and out, etc. etc. )

      You don't get to blame it on a scapegoat. YOUR command, YOUR responsibility. Period.
      Your glory if you get it right, your shame if you don't.

      Sounds great. Only problem it's demonstrably false.

      Captain Kelly ran the Enterprise a nuclear powered aircraft carrier aground and was promoted a few months later.

      Captain Larrobino was not charged when a sailor was having a bad day and panic tossed a lit magnesium flare into a weapons locker nearly destroying a different aircraft carrier while killing 44. After the cause was found (manufacturing defects in flares) everyone who had been slapped on the wrist or court-martialed was cleared.

      The risk alone will deter all but the most serious candidates to even apply for the job. Hell, it may even ensure that CEO's take security seriously. ( for once )

      The problem with th

    • If I had mod points, I would absolutely give you one.

  • by sabbede ( 2678435 ) on Thursday April 04, 2019 @07:23AM (#58382902)
    "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail,"

    But if a bank gets robbed, and the bank's customers' money is stolen, we don't put the bank manager in jail, we put the robber in jail. A corporation that got breached is far more like a robbed bank than it is a pickpocket.

    If she wants to change the law to call a corporation that fails to do its due diligence in protecting user data criminally negligent, that's fine. If she wants to take a company that was taking reasonable precautions but got breached anyway, and send the executives to prison for having been robbed, that's absurd.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...