|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dataloss] [vanderaj
greebo.net: SF new column announcement: Strict liability for data breaches?]
From: Adam Shostack (adamhomeport.org)
Date: Tue Feb 21 2006 - 10:35:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote:
| On 2/20/06, Adam Shostack <adamhomeport.org> wrote:
| > Interesting article. I wonder how many laptops need to be stolen for
| > it to be forseeable.
|
| That's not the issue. The issue is did the company take due care?
|
| Since the regulations like GLBA, HIPAA, SOX 404, and others are so
| incredibly vague, the courts look to other things like "best
| practices". One way of defininf that is "are they doing what their
| peers are doing to protect data." The idea being the collective has a
| better idea of a best practice than an individual. Stupid, I know, but
| that is the way it is. The courts need to go somewhere for guidance.
Sure. Doesn't the standard of due care depend (in part) on
foreseeability? Eg, a normal person should forsee that kids will come
play in their pool. IANAL.
Best practices also change quickly--from the introduction of radio to
the time that a ship was expected to have a radio to avoid negligence
wasn't all that long.
| I really think the regulations are written in a vacuum. Ever read the
| techincal requirements for HIPAA? I doubt that they had any IT input.
| I could think of a dozen ways that I would have reqorded each passage
| so that it was more specific on the required functions while still
| being flexible enough for future use. But that's just me.
Yes.
_______________________________________________
Dataloss mailing list
Datalossattrition.org
https://attrition.org/mailman/listinfo/dataloss
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]