<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 11">
<meta name=Originator content="Microsoft Word 11">
<link rel=File-List href="cid:filelist.xml@01C73496.0498A5C0">
<link rel=Edit-Time-Data href="cid:editdata.mso">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:DisplayBackgroundShape/>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:1627421319 -2147483648 8 0 66047 0;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:536871559 0 0 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.EmailStyle17
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Verdana;
mso-ascii-font-family:Verdana;
mso-hansi-font-family:Verdana;
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'>Good stuff, guys.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'>My questions to the experts on data
protection laws are:<span style='mso-spacerun:yes'> </span>1) do some states
say organizations don’t have to disclose a breach if the data was
encrypted<span class=GramE>?,</span> and 2) are there differences in disclosure
methodology/semantics for an <u>external theft versus an internal one?</u><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'>Thanks in advance!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'>--<span class=GramE>jeff</span> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:blue'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>ray.hawkins@comcast.net<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, January 10, 2007
8:50 AM<br>
<b><span style='font-weight:bold'>To:</span></b> B.K. DeLong; Richard Forno<br>
<b><span style='font-weight:bold'>Cc:</span></b> dataloss@attrition.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Dataloss] They Take
it Seriously? Oh, Sure - Criminally Liable? [faked-from]</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>My sense is that it has become nothing more than "aw
shucks" gotta fess up p.r. vomit. It may be intersting to see how,
if any, political winds may shift with the new Congress and whether any
cohesive regualtory/statutory bills <u>with</u> teeth will pass with the
Dems. Have the prevailing perspectives become that "it is not a
matter of 'if' but 'when'" a breach or another breach will
happen? Shoring up data privacy controls is a business decision that is
being weighed in terms of the cost of control and risk mitigation versus the
cost absorption of a breach - just another footnote on a balance sheet or a
single buried line in the annual report. The "what if" may be
whether or not the wascally wabbits would weally weally take it seriously
(insert Elmer Fudd voice) if they were instead criminally liable for data
breaches in absence of a defined due diligence in protecting data.
Thoughts?<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div id=signature>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>--<br>
~The Hawk<o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid #1010FF 1.5pt;padding:0in 0in 0in 4.0pt;
margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>-------------- Original message -------------- <br>
From: "B.K. DeLong" <bkdelong@pobox.com> <br>
<br>
> That would be an interesting data point to collect - how many <br>
> incidents had a corporate wonk saying something to the effect of
"very <br>
> seriously" or "extremely seriously". <br>
> <br>
> On 1/10/07, Richard Forno <RFORNO@INFOWARRIOR.ORG>wrote: <br>
> > They Take it Seriously? Oh, Sure <br>
> > January 9th, 2007 by Dan Gillmor <br>
> > <br>
> > (I originally wrote this for PR Week magazine.) <br>
> > <br>
> > Several weeks ago, UCLA acknowledged that some of its computers had been
<br>
> > hacked. Obeying a state law, it notified more than 800,000 people
that their <br>
> > personal data, including Social Security numbers, might have ended up
in the <br>
> > wrong hands. <br>
> > <br>
> > The fact that the data got loose wasnıt all that striking. Unfortunately,
<br>
> > thatıs all too common. What struck me was this statement from a
hapless UCLA <br>
> > honcho: ³We have a responsibility to safeguard personal information,
an <br>
> > obligation that we take very seriously.² <br>
> > <br>
> > When and where have I heard that before? All kinds of times and
places, <br>
> > actually. Itıs becoming a mantra that means almost nothing. <br>
> > <br>
> > Try this: Plug ³we take² and ³very seriously² into a Google News or
Yahoo <br>
> > News search. Youıll get hundreds of hits, albeit some repeats, where
some <br>
> > big institution - corporate, educational, government, whatever -
makes a <br>
> > giant blunder and then issues a ³we take (insert the violated policy)
very <br>
> > seriously² statement. <br>
> > <br>
> > < - > <br>
> > <br>
> > http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/ <br>
> > <br>
> > <br>
> > _______________________________________________ <br>
> > Dataloss Mailing List (dataloss@attrition.org) <br>
> > http://attrition.org/dataloss <br>
> > Tracking more than 143 million compromised records in 529 incidents
over 6 <br>
> years. <br>
> > <br>
> > <br>
> > <br>
> <br>
> <br>
> -- <br>
> B.K. DeLong (K3GRN) <br>
> bkdelong@pobox.com <br>
> +1.617.797.8471 <br>
> <br>
> http://www.wkdelong.org Son. <br>
> http://www.ianetsec.com Work. <br>
> http://www.bostonredcross.org Volunteer. <br>
> http://www.carolingia.eastkingdom.org Service. <br>
> http://bkdelong.livejournal.com Play. <br>
> <br>
> <br>
> PGP Fingerprint: <br>
> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE <br>
> <br>
> FOAF: <br>
> http://foaf.brain-stream.org <br>
> _______________________________________________ <br>
> Dataloss Mailing List (dataloss@attrition.org) <br>
> http://attrition.org /dataloss <br>
> Tracking more than 143 million compromised records in 529 incidents over 6
<br>
> years. <br>
> <br>
> <o:p></o:p></span></font></p>
</blockquote>
</div>
</body>
</html>