[Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?

George Toft george at myitaz.com
Thu Jan 11 09:25:16 EST 2007 

And this verbiage is what is so irritating.  If the server hard drive is 
encrypted, they can say the data was encrypted, right?  But if the 
attack were network based, and the OS decrypted the data and the 
attacker got the data, it was unencrypted.  Security professionals know 
the data was unencrypted - that's how the thief got it.  But the 
managers are going to say the drive was encrypted.

I think this verbiage is geared toward laptop theft, not server attacks. 
  The verbiage is loose enough to give the negligent ones wiggle room to 
not have to report.

The other side of this coin is getting business owners to acknowledge 
the law.  I spent the last year talking to business regulated by GLBA, 
and most of them (99%) refuse to acknowledge their obligation under the 
law, and none of them ever heard of Arizona's breach reporting law.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
623-203-1760

Confidential data protection experts for the financial industry.


Donald Aplin wrote:
> The vast majority of the 34 state-enacted data breach
> consumer notification laws only require notice if there is
> a breach of unencrypted data. A few of the newer ones added
> that it's still a covered breach if the encryption key goes
> missing at the same time encrypted data is lost.  Perhaps
> more important are the risk of harm threshold provisions in
> many of the laws which do not require notification if after
> a "reasonable" investigation by the covered entity there is
> a determination that there was no actual damage or any
> reasonable risk of future harm done by the breach (this is
> consistent with the court examinations of breaches in which
> they pretty much uniformly do not consider the threat of
> potential ID theft to be actual damages). In short, the fox
> gets to guard the henhouse.
> 
>  Donald G. Aplin
> Legal Editor
> BNA's Privacy & Security Law Report
> (202) 452-4688
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 530 incidents over 7 years.
> 
> 
> 
>

More information about the Dataloss mailing list