Re: [Dataloss] Firms play Data Protection roulette
The UK Data Protection Law is just one of many different data protection
laws. The UK was required to locally implement the EU Data Protection
Directive and did so with their passage of the UK Data Protection Act.
To see which countries have laws regulating the use and protection of data,
visit http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000
Saundra Kae Rubel, CIPP
_____
From: dataloss-bounces attrition.org [mailto:dataloss-bouncesattrition.org]
On Behalf Of Al Mac
Sent: Saturday, July 08, 2006 4:48 PM
To: datalossattrition.org
Subject: Re: [Dataloss] Firms play Data Protection roulette
Until this link, I had never heard of the Data Protection Act.
I have been employed as a computer professional for over 40 years.
Since I am a software developer for a privately owned manufacturer (not yet
subject to SOX and many well known other regulations, but we are under UL
ISO ROHS and some others), in which I vigorously test all my work using
subsets of the live data, where I had always thought the security issues
were who can access what data for what purposes, not whether it is in a live
or test condition, I went looking for the particulars of this law.
It is a British law, perhaps European.
http://en.wikipedia.org/wiki/Data_Protection_Act_1998
The Wikipedia article is a small beginning.
It does not communicate what constitutes private data under this law.
For example, some US law says e-mail addresses are included as private data.
There's a lot in US laws about parts of social security #s and bank account
numbers.
The Wikipedia article does not say anything about restricting testing of
software development.
Here is another explanation
I carefully read through this and saw nothing about any rules saying that we
cannot use live data when doing testing.
Of course this link might not be as official as the NetworkWorld article.
http://www.dataprotectionact.org/
I am in general agreement with the 8 principles, except there can be great
ambiguity about how long certain types of data ought to be kept. If we get
audited by the taxing authorities, we had better have all the payroll data
on our people from several years ago, available for their access. If a
question comes up about the safety of any product we have manufactured, we
had better have full records on where all the components came from and other
details, such as identities of people who inspected and certified product
perfection. There is no statute of limitations on product safety in the
USA. We have to store that kind of data to infinity.
Since some data must be stored for a long long time, there is an issue not
just of security to block inappropriate access, but also what kind of media
it should be stored on. Today CDs or DVDs make sense, but some data was on
various shapes of diskettes when we first got that data, and magnetic media
is known to only hold the data reliably for like 10 years in climate
controlled conditions,. This varies with quality of diskette or tape
manufacturer, and some media is particularly prone to getting messed up so
we can't read it, like a tangled tape, or diskette out of registration with
the device that reads it Even then, I like to have more than one set of
backups.
There is a link in turn to
www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4
My interpretation of this is that the act does not ban core business
activities, I consider the testing of software changes to be a core business
activity, and I see no place here where the act disagrees with me, although
I have not read all of the content here.
http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html
?nlhtsec=070306securityalert3
By Radhika Praveen, TechWorld, 07/05/06
Large numbers of companies are taking risks with data protection, because
they are not aware of the requirements of the law.
Nearly half (44%) of companies use live data in test environments --
something the 1998 Data Protection Act warns against explicitly, according
to a recent survey of IT directors by Compuware.
Half the directors (48%) were only 'vaguely familiar' with the Act itself,
according to the research, which highlights the importance of
understanding the demands and keeping track of how customer data is
treated.
A further "83% used only minimal measures such as using non disclosure
agreements (NDA) to control data when outsourcing," said Ian Clarke, world
wide enterprise solutions director at Compuware.
NDAs are all very well, but companies find it difficult to communicate the
complex legal terms to their employees or to outsourcing partners, said
the survey report. "Unless they have rigorous procedures in place, they
run the risk of live data being leaked to third parties. This can have
severe repercussions on customer confidence and company reputation, and
ultimately affect the bottom line," Clarke added.
An NDA doesn't mean a lot when an employee in an outsourcing company in
India for example who earns $100-a-day can earn much more by selling
confidential data, he said.
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
-
Al Macintyre
http://en.wikipedia.org/wiki/User:AlMac
http://www.ryze.com/go/Al9Mac
BPCS/400 Computer Janitor ... see
http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
Using real personal data for testing is usually not a purpose
specified under various privacy policies & disclosures, and usually
doesn't hit the "essential" tests that the laws allow.
In the US, that's probably less of a problem legally, because we don't
have a general data protection law, but in other countries, using live
data for test is probably out.
Adam
On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote:
| Until this link, I had never heard of the Data Protection Act.
|
| I have been employed as a computer professional for over 40 years.
|
| Since I am a software developer for a privately owned manufacturer (not yet
| subject to SOX and many well known other regulations, but we are under UL ISO
| ROHS and some others), in which I vigorously test all my work using subsets of
| the live data, where I had always thought the security issues were who can
| access what data for what purposes, not whether it is in a live or test
| condition, I went looking for the particulars of this law.
|
| It is a British law, perhaps European.
| http://en.wikipedia.org/wiki/Data_Protection_Act_1998
|
| The Wikipedia article is a small beginning.
| It does not communicate what constitutes private data under this law.
| For example, some US law says e-mail addresses are included as private data.
| There's a lot in US laws about parts of social security #s and bank account
| numbers.
| The Wikipedia article does not say anything about restricting testing of
| software development.
|
| Here is another explanation
| I carefully read through this and saw nothing about any rules saying that we
| cannot use live data when doing testing.
| Of course this link might not be as official as the NetworkWorld article.
| http://www.dataprotectionact.org/
|
| I am in general agreement with the 8 principles, except there can be great
| ambiguity about how long certain types of data ought to be kept. If we get
| audited by the taxing authorities, we had better have all the payroll data on
| our people from several years ago, available for their access. If a question
| comes up about the safety of any product we have manufactured, we had better
| have full records on where all the components came from and other details, such
| as identities of people who inspected and certified product perfection. There
| is no statute of limitations on product safety in the USA. We have to store
| that kind of data to infinity.
|
| Since some data must be stored for a long long time, there is an issue not just
| of security to block inappropriate access, but also what kind of media it
| should be stored on. Today CDs or DVDs make sense, but some data was on
| various shapes of diskettes when we first got that data, and magnetic media is
| known to only hold the data reliably for like 10 years in climate controlled
| conditions,. This varies with quality of diskette or tape manufacturer, and
| some media is particularly prone to getting messed up so we can't read it, like
| a tangled tape, or diskette out of registration with the device that reads it
| Even then, I like to have more than one set of backups.
|
| There is a link in turn to
| www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4
|
| My interpretation of this is that the act does not ban core business
| activities, I consider the testing of software changes to be a core business
| activity, and I see no place here where the act disagrees with me, although I
| have not read all of the content here.
|
|
|
| http://www.networkworld.com/news/2006/
| 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3
|
| By Radhika Praveen, TechWorld, 07/05/06
|
| Large numbers of companies are taking risks with data protection, because
| they are not aware of the requirements of the law.
|
| Nearly half (44%) of companies use live data in test environments --
| something the 1998 Data Protection Act warns against explicitly, according
| to a recent survey of IT directors by Compuware.
|
| Half the directors (48%) were only 'vaguely familiar' with the Act itself,
| according to the research, which highlights the importance of
| understanding the demands and keeping track of how customer data is
| treated.
|
| A further "83% used only minimal measures such as using non disclosure
| agreements (NDA) to control data when outsourcing," said Ian Clarke, world
| wide enterprise solutions director at Compuware.
|
| NDAs are all very well, but companies find it difficult to communicate the
| complex legal terms to their employees or to outsourcing partners, said
| the survey report. "Unless they have rigorous procedures in place, they
| run the risk of live data being leaked to third parties. This can have
| severe repercussions on customer confidence and company reputation, and
| ultimately affect the bottom line," Clarke added.
|
| An NDA doesn't mean a lot when an employee in an outsourcing company in
| India for example who earns $100-a-day can earn much more by selling
| confidential data, he said.
|
| [...]
|
| _______________________________________________
| Dataloss Mailing List (datalossattrition.org)
| http://attrition.org/errata/dataloss/
|
| -
| Al Macintyre
| http://en.wikipedia.org/wiki/User:AlMac
| http://www.ryze.com/go/Al9Mac
| BPCS/400 Computer Janitor ... see
| http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
| _______________________________________________
| Dataloss Mailing List (datalossattrition.org)
| http://attrition.org/errata/dataloss/
|
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
I think we should make a distinction between live data and real data.
Some companies make copies of their live data and put it in their
development environment(s) for development and testing. It's not live
data, but it is certainly real.
There are many benefits to using a copy of live data, but in today's
reality, I think the risk to the business is too great to endorse this
activity. I think it also might violate the spirit of "separation of
duty" that most companies implement to keep developers out of production
systems.
Regards,
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067
Confidential data protection experts for the financial industry.
Adam Shostack wrote:
> Using real personal data for testing is usually not a purpose
> specified under various privacy policies & disclosures, and usually
> doesn't hit the "essential" tests that the laws allow.
>
> In the US, that's probably less of a problem legally, because we don't
> have a general data protection law, but in other countries, using live
> data for test is probably out.
>
> Adam
>
> On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote:
> | Until this link, I had never heard of the Data Protection Act.
> |
> | I have been employed as a computer professional for over 40 years.
> |
> | Since I am a software developer for a privately owned manufacturer (not yet
> | subject to SOX and many well known other regulations, but we are under UL ISO
> | ROHS and some others), in which I vigorously test all my work using subsets of
> | the live data, where I had always thought the security issues were who can
> | access what data for what purposes, not whether it is in a live or test
> | condition, I went looking for the particulars of this law.
> |
> | It is a British law, perhaps European.
> | http://en.wikipedia.org/wiki/Data_Protection_Act_1998
> |
> | The Wikipedia article is a small beginning.
> | It does not communicate what constitutes private data under this law.
> | For example, some US law says e-mail addresses are included as private data.
> | There's a lot in US laws about parts of social security #s and bank account
> | numbers.
> | The Wikipedia article does not say anything about restricting testing of
> | software development.
> |
> | Here is another explanation
> | I carefully read through this and saw nothing about any rules saying that we
> | cannot use live data when doing testing.
> | Of course this link might not be as official as the NetworkWorld article.
> | http://www.dataprotectionact.org/
> |
> | I am in general agreement with the 8 principles, except there can be great
> | ambiguity about how long certain types of data ought to be kept. If we get
> | audited by the taxing authorities, we had better have all the payroll data on
> | our people from several years ago, available for their access. If a question
> | comes up about the safety of any product we have manufactured, we had better
> | have full records on where all the components came from and other details, such
> | as identities of people who inspected and certified product perfection. There
> | is no statute of limitations on product safety in the USA. We have to store
> | that kind of data to infinity.
> |
> | Since some data must be stored for a long long time, there is an issue not just
> | of security to block inappropriate access, but also what kind of media it
> | should be stored on. Today CDs or DVDs make sense, but some data was on
> | various shapes of diskettes when we first got that data, and magnetic media is
> | known to only hold the data reliably for like 10 years in climate controlled
> | conditions,. This varies with quality of diskette or tape manufacturer, and
> | some media is particularly prone to getting messed up so we can't read it, like
> | a tangled tape, or diskette out of registration with the device that reads it
> | Even then, I like to have more than one set of backups.
> |
> | There is a link in turn to
> | www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4
> |
> | My interpretation of this is that the act does not ban core business
> | activities, I consider the testing of software changes to be a core business
> | activity, and I see no place here where the act disagrees with me, although I
> | have not read all of the content here.
> |
> |
> |
> | http://www.networkworld.com/news/2006/
> | 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3
> |
> | By Radhika Praveen, TechWorld, 07/05/06
> |
> | Large numbers of companies are taking risks with data protection, because
> | they are not aware of the requirements of the law.
> |
> | Nearly half (44%) of companies use live data in test environments --
> | something the 1998 Data Protection Act warns against explicitly, according
> | to a recent survey of IT directors by Compuware.
> |
> | Half the directors (48%) were only 'vaguely familiar' with the Act itself,
> | according to the research, which highlights the importance of
> | understanding the demands and keeping track of how customer data is
> | treated.
> |
> | A further "83% used only minimal measures such as using non disclosure
> | agreements (NDA) to control data when outsourcing," said Ian Clarke, world
> | wide enterprise solutions director at Compuware.
> |
> | NDAs are all very well, but companies find it difficult to communicate the
> | complex legal terms to their employees or to outsourcing partners, said
> | the survey report. "Unless they have rigorous procedures in place, they
> | run the risk of live data being leaked to third parties. This can have
> | severe repercussions on customer confidence and company reputation, and
> | ultimately affect the bottom line," Clarke added.
> |
> | An NDA doesn't mean a lot when an employee in an outsourcing company in
> | India for example who earns $100-a-day can earn much more by selling
> | confidential data, he said.
> |
> | [...]
> |
> | _______________________________________________
> | Dataloss Mailing List (datalossattrition.org)
> | http://attrition.org/errata/dataloss/
> |
> | -
> | Al Macintyre
> | http://en.wikipedia.org/wiki/User:AlMac
> | http://www.ryze.com/go/Al9Mac
> | BPCS/400 Computer Janitor ... see
> | http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
>
> | _______________________________________________
> | Dataloss Mailing List (datalossattrition.org)
> | http://attrition.org/errata/dataloss/
> |
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/errata/dataloss/
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
Among the european nationals I've spoken to on this, it seems to be
universally believed that the ability of firms to comply with the
privacy directive (eg., by telling them what personal info is kept,
where) borders on nil. Maybe I just hang with a cynical crowd.
In my (limited) experience, the privacy directive is good for at
least one thing -- it keeps firms from collecting certain information
in the first place.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
[Dataloss] Montana health office computer stolen -- may have contained PII, health info
http://news.bostonherald.com/national/view.bg?articleid=147361
Computer stolen from state health office in Montana
By Associated Press
Friday, July 7, 2006 - Updated: 03:05 PM EST
HELENA, Mont. - A state government computer was stolen during a July
Fourth break-in at the offices of a drug dependency program, and
officials were trying to determine Friday when it contained sensitive
information.
Top officials in state government were unaware Friday morning
that the Public Health and Human Services computer, assigned to a
state chemical dependancy program officer, had disappeared.
Helena Police Chief Troy McGee said a burglar broke in over the
holiday. A state worker who went into the building that day noticed a
skylight had been broken and called police.
Police were not informed if the computer contained any
sensitive data, such as Social Security numbers or medical
information, he said.
[...]
[Trying to determine *when* it contained sensitive info? So they are
saying that they know that at one time it did? Or did AP editors let
a 'when' slip in where a 'whether' was warranted?]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
[Dataloss] Colorado Work Place Identity Theft Statistics
The Colorado Dept of Labor http://www.coworkforce.com/ just released
statistics on the degree to which Identity Theft is being used to secure
jobs in that state, perhaps some by illegal immigrants.
For list readers not in USA, we all have to pay employment taxes, which are
recorded using our social security number, so the government gets all that
data, except in cases where employers or independent contractors have
failed to file the neccessary paperwork.
>In the third quarter of 2005, the department recorded 2,249 instances
>where employers reported a Social Security number that was used six or
>more times. One number was provided by 50 different employers.
>
>During the first quarter of 2006, 368 Social Security numbers were filed
>more than six times by 2,828 employers. One number was reported by 57
>different employers.
How much you want to bet the IRS will be after whoever that social security
number belongs to, complaining they under reported their income when they
paid their income taxes?
{...} more info in the rest of the article
http://www.bizjournals.com/denver/stories/2006/07/03/daily18.html
Colorado Gov site: http://www.colorado.gov/
Colorado Cyber Security http://www.colorado.gov/cybersecurity/index.html
Colorado in perspective http://en.wikipedia.org/wiki/Colorado
-
Al Mac AKA Alister Wm. Macintyre
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
We discussed recently the matter of real data in a test environment
with a client. Frequently, when conducting an internal penetration
test, we find copies of real data on development machines unprotected
by passwords or encryption. Rather than try to insist that developers
protect this real data properly, which is never going to happen, we
suggested the following: (1) replace all name fields with alpha
garbage (of the correct field lengths) so as to depersonalise the
data (2) randomly swap fields such as city, zip code, credit card
number etc. so that any given row of data is useless to a thief but
still valid per range checks etc.
Any views on this idea?
Pete
At 08:10 09/07/2006 -0700, George Toft wrote:
>I think we should make a distinction between live data and real data.
>
>Some companies make copies of their live data and put it in their
>development environment(s) for development and testing. It's not live
>data, but it is certainly real.
>
>There are many benefits to using a copy of live data, but in today's
>reality, I think the risk to the business is too great to endorse this
>activity. I think it also might violate the spirit of "separation of
>duty" that most companies implement to keep developers out of production
>systems.
>
>Regards,
>
>George Toft, CISSP, MSIS
>My IT Department
>www.myITaz.com
>480-544-1067
--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
[Dataloss] Franklin Transit leaves private data on surplused computers
Old computers were sold at auction. One buyer finds social security
numbers for 200 co-workers. This leads to the whistle blower being
disciplined, but the transit company also eventually beefing up its security.
http://www.tri-cityherald.com/tch/opinions/story/7947732p-7841262c.html
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
If the client is really serious about this effort, I think it is much
better than using real data. I suggest scrambling the credit card info
(SSN's as well) unless there is some aspect of the application that does
a validity check on the value. For CC numbers, if the CC processor
returned an authorization code at the time of sale, it must be valid, so
I see no reason to maintain that number intact.
I also recommend they make someone personally accountable for any real
data stored outside of the prod environment. Without accountability,
the rules won't be followed, and you'll find real data stored on
machines without adequate security...
My thoughts :)
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067
Confidential data protection experts for the financial industry.
Peter Wood wrote:
> We discussed recently the matter of real data in a test environment
> with a client. Frequently, when conducting an internal penetration
> test, we find copies of real data on development machines unprotected
> by passwords or encryption. Rather than try to insist that developers
> protect this real data properly, which is never going to happen, we
> suggested the following: (1) replace all name fields with alpha
> garbage (of the correct field lengths) so as to depersonalise the
> data (2) randomly swap fields such as city, zip code, credit card
> number etc. so that any given row of data is useless to a thief but
> still valid per range checks etc.
>
> Any views on this idea?
>
> Pete
>
> At 08:10 09/07/2006 -0700, George Toft wrote:
> >I think we should make a distinction between live data and real data.
> >
> >Some companies make copies of their live data and put it in their
> >development environment(s) for development and testing. It's not live
> >data, but it is certainly real.
> >
> >There are many benefits to using a copy of live data, but in today's
> >reality, I think the risk to the business is too great to endorse this
> >activity. I think it also might violate the spirit of "separation of
> >duty" that most companies implement to keep developers out of production
> >systems.
> >
> >Regards,
> >
> >George Toft, CISSP, MSIS
> >My IT Department
> >www.myITaz.com
> >480-544-1067
>
>
> --------------------------------------------------------------------
> Peter Wood FBCS CITP MIEEE MIMIS CISSP
> Chief of Operations
> First Base Technologies
> Office: +44 (0)1273 454525
> Mobile: +44 (0)7774 239915
> www.fbtechies.co.uk
> www.white-hats.co.uk
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/errata/dataloss/
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
PCI Data Security Standard #6.3.4 requires that "Production data (real
credit card numbers) are not used for testing or development."
This applies to all levels of merchants no matter how many transactions are
performed.
See more at :
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cis
p_PCI_Data_Security_Standard.pdf
Saundra Kae Rubel, CIPP
-----Original Message-----
From: dataloss-bouncesattrition.org [mailto:dataloss-bouncesattrition.org]
On Behalf Of George Toft
Sent: Monday, July 10, 2006 5:32 AM
To: datalossattrition.org
Subject: Re: [Dataloss] Firms play Data Protection roulette
If the client is really serious about this effort, I think it is much
better than using real data. I suggest scrambling the credit card info
(SSN's as well) unless there is some aspect of the application that does
a validity check on the value. For CC numbers, if the CC processor
returned an authorization code at the time of sale, it must be valid, so
I see no reason to maintain that number intact.
I also recommend they make someone personally accountable for any real
data stored outside of the prod environment. Without accountability,
the rules won't be followed, and you'll find real data stored on
machines without adequate security...
My thoughts :)
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067
Confidential data protection experts for the financial industry.
Peter Wood wrote:
> We discussed recently the matter of real data in a test environment
> with a client. Frequently, when conducting an internal penetration
> test, we find copies of real data on development machines unprotected
> by passwords or encryption. Rather than try to insist that developers
> protect this real data properly, which is never going to happen, we
> suggested the following: (1) replace all name fields with alpha
> garbage (of the correct field lengths) so as to depersonalise the
> data (2) randomly swap fields such as city, zip code, credit card
> number etc. so that any given row of data is useless to a thief but
> still valid per range checks etc.
>
> Any views on this idea?
>
> Pete
>
> At 08:10 09/07/2006 -0700, George Toft wrote:
> >I think we should make a distinction between live data and real data.
> >
> >Some companies make copies of their live data and put it in their
> >development environment(s) for development and testing. It's not live
> >data, but it is certainly real.
> >
> >There are many benefits to using a copy of live data, but in today's
> >reality, I think the risk to the business is too great to endorse this
> >activity. I think it also might violate the spirit of "separation of
> >duty" that most companies implement to keep developers out of production
> >systems.
> >
> >Regards,
> >
> >George Toft, CISSP, MSIS
> >My IT Department
> >www.myITaz.com
> >480-544-1067
>
>
> --------------------------------------------------------------------
> Peter Wood FBCS CITP MIEEE MIMIS CISSP
> Chief of Operations
> First Base Technologies
> Office: +44 (0)1273 454525
> Mobile: +44 (0)7774 239915
> www.fbtechies.co.uk
> www.white-hats.co.uk
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/errata/dataloss/
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Firms play Data Protection roulette
| | | | | | | | | | |
