[Dataloss] Fw: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)

Mitch Tanenbaum - MC mtanenbaum at mercurycompanies.com
Fri Jun 6 23:34:56 UTC 2008 

Two things

I am guessing that the data includes customers from most of the 50 states given this is a major bank so the rules get very mushy given it is controlled by the state of residency.

Second, some states like NY, do do not have an encryption exclusion at all.

Mitch

----- Original Message -----
From: dataloss-bounces at attrition.org <dataloss-bounces at attrition.org>
To: security curmudgeon <jericho at attrition.org>
Cc: dataloss at attrition.org <dataloss at attrition.org>
Sent: Fri Jun 06 17:13:39 2008
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


----- Original Message -----
From: "security curmudgeon" <jericho at attrition.org>
To: dataloss at attrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


Taking this one step farther, what if the tape *is* encrypted using really 
strong encryption and the tape is lost. Does the company have to warn 
customers?

  Certainly not in California.  The Breach Disclosure law (originally 
  SB-1386) provides a safe-harbor for encrypted data.  Not sure what the 
  other 42 US states do, but they modeled their laws along the lines of
  California's to the best of my knowledge.

If not, will that lead to companies claiming strong encryption 
regardless,....

  This is a weakness in all Breach Disclosure laws.  They do not specify
  the type of encryption.  While I agree that lawmakers are not the most
  qualified people to determine appropriate ciphers, they could have at
  least pointed to NIST standards as the minimum.  That would have given
  us 3DES and AES encryption.  Right now, we have nothing.  Very short-
  sighted.

Arshad Noor
StrongAuth, Inc.

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080606/1f5001c6/attachment.html

More information about the Dataloss mailing list