The Finch Formerly Known As Gold

8 February 2008

But not too much protection

The Indiana State Senate is considering a bill to require notification of citizens who may be at risk due to data-security breaches, and rather a lot of industry hotshots just hate that:

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to require the attorney general to post a copy of each report to its Web site — so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.

Some of the arguments made against the bill were ludicrous in the extreme:

A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.

And this would differ from every other phishing attempt on the face of the earth — how, exactly?

New Hampshire is already posting breach information, and no one's using it for phishing.

Meanwhile, existing Indiana law is plainly inadequate, except where it's plainly stupid:

The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer.

You gotta wonder if Microsoft pushed for that provision, way back when.

The Indiana House, incidentally, has already passed this measure, 94-0.

(Via Steph Mineart.)

Posted at 9:46 PM to PEBKAC


Well, this is the same legislature that tried to make the value of pi = 3 by law, so it's not as tho they have a particularly high standard for laws.

Posted by: Dan B at 3:45 PM on 9 February 2008

Well, actually, it was 3.2.

(Thanks to Lindsay Beyerstein.)

Posted by: CGHill at 4:09 PM on 9 February 2008

Indiana House Bill 1197 is unwise to mention encryption technology specifically. See comments at http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html

Posted by: Benjamin Wright at 9:59 AM on 19 February 2008
Post a comment









Remember personal info?