Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Dataloss] Discussion regarding breach notification
From: lyger (lygerattrition.org)
Date: Tue May 09 2006 - 23:23:50 CDT
Some topical thoughts and possible material for discussion from Emergent
(from Chris Walsh's post):
"I think Adam is too kind to Arizona's new breach law.
My issues have to do with how various elements of the law might be
"materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff
and my sense of what constitutes materiality has been warped, but I would
need to be reassured that this term means something "smaller" than it does
in the SOX context. I realize this language is present in practically all
breach laws, as well as HIPAA, etc.
"acquisition and access" -- so if I simply hack in (gain "access"), but
the audit trail doesn't show that I did "acquire" PII, you get to keep
quiet? How would acquisition be established?
"substantial economic loss" -- So credit card numbers are no biggie, since
liability is limited to an insubstantial amount?
"reasonably likely" -- So, losing the PII of a bunch of people with no
credit history, or those who have been demonstrated (by ID Analytics, or
even the FTC) to be unlikely victims (like children on public assistance,
say) gets you out of notifying?"
Dataloss Mailing List (datalossattrition.org)