|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dataloss] Discussion regarding breach notification
From: lyger (lyger
attrition.org)
Date: Tue May 09 2006 - 23:23:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Some topical thoughts and possible material for discussion from Emergent
Chaos:
http://www.emergentchaos.com/archives/2006/05/breach_notification_the_n.html
http://www.emergentchaos.com/archives/2006/05/half_empty.html
(from Chris Walsh's post):
"I think Adam is too kind to Arizona's new breach law.
My issues have to do with how various elements of the law might be
interpreted:
"materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff
and my sense of what constitutes materiality has been warped, but I would
need to be reassured that this term means something "smaller" than it does
in the SOX context. I realize this language is present in practically all
breach laws, as well as HIPAA, etc.
"acquisition and access" -- so if I simply hack in (gain "access"), but
the audit trail doesn't show that I did "acquire" PII, you get to keep
quiet? How would acquisition be established?
"substantial economic loss" -- So credit card numbers are no biggie, since
liability is limited to an insubstantial amount?
"reasonably likely" -- So, losing the PII of a bunch of people with no
credit history, or those who have been demonstrated (by ID Analytics, or
even the FTC) to be unlikely victims (like children on public assistance,
say) gets you out of notifying?"
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]