8 February 2008
But not too much protection
The Indiana State Senate is considering a bill to require notification of citizens who may be at risk due to data-security breaches, and rather a lot of industry hotshots just hate that:
The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to require the attorney general to post a copy of each report to its Web site so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.
Some of the arguments made against the bill were ludicrous in the extreme:
A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.
And this would differ from every other phishing attempt on the face of the earth how, exactly?
New Hampshire is already posting breach information, and no one's using it for phishing.
Meanwhile, existing Indiana law is plainly inadequate, except where it's plainly stupid:
The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer.
You gotta wonder if Microsoft pushed for that provision, way back when.
The Indiana House, incidentally, has already passed this measure, 94-0.
(Via Steph Mineart.)Posted at 9:46 PM to PEBKAC