Data pimps
The Data Accountability and Trust Act (DATA) was approved by the U.S House Energy and Commerce Committee last week, sending it closer to a vote by the House.
This bill is far more liberal than one currently under consideration by the Senate. It makes public disclosure of data breaches mandatory. It also calls for FTC oversight and gives the agency the ability to demand a security audit (after the fact, unfortunately).
This is a good bill. Most of our country's privacy woes start with this--if companies can hide their breaches, then how do we know enough to even regulate them? Sure, some states (notably California) already require it, but you can rest assured that many states would never pass this legislation on their own. I could live with that; there's something to be said for the idea that you pick the state that you want to live in, based on shared beliefs and values. However, data breach is a national problem and ideally, should be treated uniformly.
The first step is notification. The second step is auditing and analysis--fixing the problems so there's no recurrence. The last step is punishment of the guilty. We have to find a way to whack the knuckles of these data pimps in the direct marketing industry. It's no accident that the big and nasty privacy incidents seem to happen to companies like Choicepoint and Acxiom. Their business model invites it and apparently they don't or at least haven't, taken security seriously enough. Like industrial polluters in the '60s, they will stop only when they're forced to. And the way to do that is to hit them where it hurts--in their money belts.
Posted on April 04, 2006
