SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Tougher Privacy Laws

By Steve Jones,

I am all for tougher privacy laws, especially for companies that have not followed basic security practices for securing data. There is a proposal from US Senator Ron Wyden that would increase penalties and give more rights to consumers. Consumers could opt out of data sharing and executives could be fined or jailed. The penalties are stiff, and I think it's not likely to pass, and more practically, many of the penalties might not actually get enforced.

In the US we don't have much in the way of rights over our own data as humans. Companies, for the most part, have complete control over the data they collect about us and can re-use, sell, share, etc. that data in any way they wish. There are some laws concerning notifications of data loss, and some penalties in California's recent law, but for most of the country, consumers are at the mercy of organizations. I'd like that to change, and I don't think doing so would hurt most businesses. Aggregators and data only companies might struggle, but I'd like to see less of those companies in business.

Stronger penalties might stimulate change and better practices, but only if we fine or jail those that limit security efforts. Most technical people try to implement security but are often prevented or limited from making many changes when there is pressure to keep moving forward. Certainly some technical people don't take security seriously, but I'd like to see employees absolved of responsibility if they show that they have asked for time or resources for security, but those aren't granted. I'd also like to see some way for management at all levels to prove they have actually requested and funded security efforts, not just remain ignorant of the lack of security. Too many layers of management muddy the waters and often prevent those that are responsible for pushing other work over security from being held accountable. We need more accountability at all levels for poor security.

Likely there is a limited amount of structure that government can provide. Developers and infrastructure groups need to build and configure secure systems. Some funding needs to be available for security work, along with the time to do better. Management needs to make security a priority It's a group effort and while I hope we can get there, I'm not terribly confident things will improve soon.

Total article views: 40 | Views in the last 30 days: 1
Related Articles


Comments posted to this topic are about the item [B]Penalties[/B] Sharing passwords with the project...


The Penalty for a Data Breach

One of the things that will be debated quite a bit in the next few years will be the penalties for d...



Terry Childs gets sentenced for refusing to turn over passwords to his boss. Steve Jones reminds us ...


The R2 Penalty

An interesting point was made by a reader about the price of SQL Server licenses when R2 is released...


Spend More on Security

With a data breach at Marriot, there is a call from one person for companies to spend more on securi...