* Mandate automatic, timely notification to the consumer when even one record is compromised. Forget numeric thresholds -- each and every consumer that gets their record violated is notified;
* Mandate government fines for violations, and prison for repeat offenders;
* Allow for consumers to sue if confidential data is not adequately safeguarded -- for instance, any lost or stolen plaintext data on portable media or computers is an immediate fault;
* Mandate that companies make the CEO or business leader accountable for these data protections, regardless of the size of the company. If the business holds even one consumer record, it must declare a responsible person;
* Mandate that any consumer can require any company to reveal what information they have on the consumer, and mandate that information must be accurate if the consumer contests it;
* Seed fund the entity that will be tasked with enforcing this new law, and allow it to self-fund (running on the funds collected from violators) thereafter. As any government entity likes to grow, this will ensure enforcement;
* Mandate that the entities tasked with upholding and enforcing the new law annually report to Congress on the number of violations and the penalties. This is to prevent a good security law from being passed but rarely enforced (e.g., HIPAA, SOX, and the hiring of illegal immigrants).
I wouldn't be happy with less, and you shouldn’t either.
Would these clauses be burdensome on business? I don’t care. It’s burdensome that they keep allowing my confidential records to be lost and stolen.
One-third of all adults in the U.S. will have their identity records stolen this year. McFly? Hello, McFly!?! What more could it take for Congress to enact real consumer data protections?
Here's one scenario: It would take a hacker stealing the identity information of the all lawmakers in Congress and then posting that information to the Internet. And we will follow the rules set forth by their own current proposals, which means we'll consider notifying the affected members only if we think the data could be used fraudulently and if there are more than 10,000 records involved. Oops, there aren't more than 10,000 members of Congress -- guess they won't be getting a notification.
I mean if Congress can play so loosely with our records, turnabout is only fair.