|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dataloss] Breach Notification Escape Mechanisms
From: lyger (lyger
attrition.org)
Date: Tue Mar 21 2006 - 14:51:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
(commentary on securityfocus.com debit-card fraud article posted earlier)
http://www.emergentchaos.com/archives/2006/03/breach_notification_escap.html
In a somewhat incendiary piece published today at Securityfocus.com,
Robert Lemos reports on loopholes in notification laws which permit firms
to avoid informing people that their personal information has been
revealed.
According to the article, which along with unnamed "security experts" also
cites industry notable Avivah Levitan, "[t]here are three cases in which a
company suffering a breach can bypass current notification laws". First is
if notification would impede an investigation by law enforcement, then:
If the stolen data includes identifiable information--such as debit
card account numbers and PINs--but not the names of consumers, then a
loophole in the law allows the company who failed to protect the data to
also forego notification. Finally, if the database holding the personal
information was encrypted but the encryption key was also stolen, then the
company responsible for the data can again withhold its warning.
Not quite. At least one state has a law that closes the quoted loopholes.
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]