re: CISPA Passes House: What's Next?
The portion referenced in the article attributed to EFF does not make it clear if that is the current wording or the modified. I would say that any company where prior knowledge of a security flaw that went unresolved and was material to the loss of personal data should be held liable. I do not understand how any company could use a good faith defense (faith that they chose the risk of not having an incident as acceptable).
The amount of information they are holding is frightening. I called my bank recently to make an inquiry. Before proceeding, I was asked to identify from the five cities that they would list which one had some relationship to my "family." Naturally, I expected a personal list. My surprise when the only one identifiable was the Georgia residence (population 500) of a brother's short term, second wife divorced at least ten years prior (my families origins are on the other side of the US). Thank goodness I remembered but I was equally certain to have never listed it on any of my personal history forms. How and what kind of family history are banks assembling, storing, and what is reasonable retention? If this kind of detail was obtained through a cyber break in, it is clear how easily identity theft could be effected. I am far more concerned on the commercial institutions use and security of my personal data than that of the government's.