<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Each company in the US has a Fiduciary responsibility to protect the
data within perimeter. This has been established under several items:
Model Business Corporation Act (ABA created and adopted by many
states), Federal Rules on Civil Procedures, US Sentencing Guidelines,
and others. These issues have defined governance and actions the
accountability of senior management while protecting the data (see my
article scmagazineus.com "<a
href="http://www.scmagazineus.com/Global-security-challenges/article/108580/">Global
Security Concerns</a>"). In many cases, management sets the
tone-at-the-top, determines what is to be spent, and is held
accountable to the stockholders ( or principals of the business). What
I expect to see, is a very savvy attorney turn a breach into a civil
suit, naming the Cxx of the company for failure to preform their due
diligence and due care of protecting the data that was entrusted to
them.<br>
<br>
Jeff wrote:
<blockquote cite="mid:000801c89a3a$b41cb4e0$6542a8c0@Spot" type="cite">
<pre wrap="">Putting a CEO in jail for a data breach would be ridiculous unless the
person were directly responsible for releasing the protected information.
Jails are already over crowded and this would not solve the problem.
Generally, it's hard to find people more clueless about IT than a CEO! Data
breeches need to be more publicized, companies should be fined heavier based
on the amount and severity of the data loss. There should also be monetary
compensation to the victims built into the law. This would eliminate the
need for court proceedings and add to the total fine and therefore risk to
the organization. At this time, there isn't much action because the majority
of people are not vocal about this issue and that makes political and
corporate leaders feel that the issue is not important enough to spend time
and money correcting.
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a> [<a class="moz-txt-link-freetext" href="mailto:dataloss-bounces@attrition.org">mailto:dataloss-bounces@attrition.org</a>]
On Behalf Of security curmudgeon
Sent: Wednesday, April 09, 2008 4:33 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>
Subject: [Dataloss] CEOs deserve jail for data breaches
---------- Forwarded message ----------
From: InfoSec News <a class="moz-txt-link-rfc2396E" href="mailto:alerts@infosecnews.org"><alerts@infosecnews.org></a>
<a class="moz-txt-link-freetext" href="http://www.techworld.com/security/news/index.cfm?newsID=11924">http://www.techworld.com/security/news/index.cfm?newsID=11924</a>
By John E. Dunn
Techworld
08 April 2008
A growing number of security pros believe that the way to stop data breaches
from happening is simple as it is stark - send the CEOs or board members
deemed responsible to jail.
The opinion emerged from a survey by security mainstay Websense at the
recent UK e-Crime Congress, which polled 107 security professionals on their
opinions. Seventy-nine percent believed that companies should be fined for
data breaches . something that does already happen in some cases in the UK .
while 59 percent were in favour of compensation for consumers affected by a
breach.
The most striking view of all was that the time had come to punish serious
data breaches with jail time for senior staff, with 25 percent rating that
as a necessary step. Only three percent were against any form of
legally-enforceable punishment.
[..]
_______________________________________________
Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>) <a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a>
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
<a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a>
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008
5:03 PM
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008
5:03 PM
_______________________________________________
Dataloss Mailing List (<a class="moz-txt-link-abbreviated" href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)
<a class="moz-txt-link-freetext" href="http://attrition.org/dataloss">http://attrition.org/dataloss</a>
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
<a class="moz-txt-link-freetext" href="http://www.tenablesecurity.com/products/compliance.shtml">http://www.tenablesecurity.com/products/compliance.shtml</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+
Linkedin <a class="moz-txt-link-freetext" href="http://www.linkedin.com/pub/1/b89/433">http://www.linkedin.com/pub/1/b89/433</a>
</pre>
</body>
</html>