Social Networks We Use

Categories

CT Tech Junkie Feed

Windows Laptops Now Under $200
Nov 1, 2014 11:00 pm
Microsoft, reacting to pressure from low-cost Chromebooks, now has its own low cost but fully functional laptop PCs...more »
Some Customers Say Transition From AT&T To Frontier Has Been Bumpy
Oct 29, 2014 1:26 pm
(Updated 7 p.m.) Customers who previously had AT&T Inc. landline, Internet, and video services were switched over to...more »

Our Partners

˜

Blumenthal Seeks Input On Bill to Protect Consumer Data

by Hugh McQuaid | Aug 12, 2011 10:30am
(2) Comments | Commenting has expired
Posted to: Congress, Corporate Watch, Education, Legal

Hugh McQuaid Photo

U.S. Sen. Richard Blumenthal

U.S. Sen. Richard Blumenthal said Thursday that the debt debate that’s certain to dominate the discussion when Congress meets again in September shouldn’t prevent Congress from passing a vital bill to protect citizens’ data privacy.

He met with academic computer security experts at the University of Connecticut’s Greater Hartford campus to hear ideas as he drafts the bill. It’s a necessary effort because computer data breaches are a continuing and constant threat to citizens and consumers both in Connecticut and across the country, he said.

“There were 23 million people affected by breaches of data that threatened financial loss, embarrassment, privacy invasion. We’re not talking about something that is abstract or conceptual—these data breaches have a practical and profoundly important consequences for millions of Americans, individuals and families across the country,” he said.

Blumenthal hopes his bill will address what he called a glaring gap in the protections afforded to people affected by data breaches.

The problem is only likely to get worse as more and more organizations collect information about people as consumers, patients, students, bankers and borrowers, he said.

The concern is that institutions, companies and other third parties that collect personal data stockpile the information, keeping it even after they no longer need it. It’s often difficult to tell how well they protect the information from identity thieves or whether it’s being sold for other purposes like targeted marketing.

Blumenthal likened the process to experiences he had after he and his wife had children. Each time they came home from the hospital with a new baby they would begin receiving mail, enticing them to buy diapers and baby formula, he said. He wondered how the marketers knew they had recently had a baby and later found out the hospital was selling the information, he said.

The bill would force companies to take better care of private information like addresses, social security numbers, and medical records, he said.

“That information is more vulnerable than ever because many American corporations have failed to take sufficient steps to safe guard this type of information,” he said.

Many corporations have also failed to take steps after data breaches have been realized and notify people when it happens, he said.

The experts at the roundtable discussion agreed with him.

“To pretend your social security number is private at this point is almost foolish,” said Jason Pufahl, UConn’s chief information security officer.

Blumenthal asked Pufahl and Yale computer science professor Mike Fischer for input on what his multi-pronged bill should do to protect data privacy. They said it was an important issue for the federal government to address but said there is no one “silver bullet” to fix it.

“When I think in terms of legislation I can’t think of a simple piece of legislation that would have that kind of a cure,” Fischer said.

Instead the bill will have to come at the problem from a number of different angles, they said.

It will have to address the current corporate culture, Fischer said. Many corporate employees aren’t taught to value and protect the information as much as they should, he said.

He likened a corporate employee who takes personal data home to work on at his private computer and then loses the information to a power plant worker who takes home radioactive waste to work with in his basement.

“It’s a terrible breach of accepted standards and behavior,” he said.

Training and certification programs could alleviate the problem, he said. They should be taught to get rid of information that is no longer needed because less data equals less risk, he said.

Blumenthal agreed changing the corporate culture should be an important function of his bill.

“What I see very often in the reaction is once there is a data breach, ‘Oh well, so what? We lost the data that’s too bad. You really don’t want us to pay a penalty do you?’” he said.

Pufahl said the bill should also assign responsibility for those charged with safeguarding the data. If someone is held accountable for the data’s protection they will be more inclined to keep and collect less of it, he said. Companies should have clear policies regarding what data they collect, how they protect it and when the purge it, he said.

“Very often it’s ‘We collect it and keep it in perpetuity because… we may need it someday.’ That puts us in the position we’re in today,” he said.

Often institutions can lose track of where the data is or even forget they have it, he said. Finding it and cleaning it up is can be a monumental task, he said, using the university as an example.

UConn put policies in place years ago to stop collecting as much data, he said, but noted the university has a hugely distributed system any one of the school’s 30,000 computers could potentially have personal information on them.

Pufahl recommended the legislation allow a window for companies to come in to compliance and be constructed in a way were corporate workers can still get their jobs done.

If the bill is harshly and immediately penalizes a company to make an example of it it will discourage others from helping to find lost data, he said.

Perhaps the biggest task in the effort to protect data privacy is user awareness, Pufahl said. Increasingly, people voluntarily give up their locations, habits, and information on social networking sites and often don’t think twice about entering their social security number when prompted, he said.

Blumenthal said young people in particular seem to not value their privacy.

“They’re very cavalier often with the information they are willing to share,” he said.

After the talk Blumenthal said the fresh ideas will be useful as he tries to move the bill through the legislative process at the nation’s Capitol, which he said can be an “echo chamber.” He said he plans to introduce it when Congress meets again next month but invited suggestions to improve and expand it going forward.

Tags: , , , , , ,

Share this story with others.

Share | |

(2) Comments

posted by: Luther Weeks | August 12, 2011  12:39pm

Luther Weeks

It is not just Corporations. The Federal Government, States, and Cities are subject to data loss. It is not just employees taking data home, it is also data breeches. For some recent examples, see: http://ctvoterscount.org/?cat=61

Even the Department of Defense and google have been breached. The DoD does not know how to stop it.

posted by: Bill M. | August 13, 2011  12:22pm

If this is what Senator Blumenthal has to do to fill his timesheet, I’m not sure we’re getting our money’s worth as taxpayers.