[Dataloss] [vanderaj at greebo.net: SF new column announcement: Strict liability for data breaches?]

[Mike Fratto]

On 2/20/06, Adam Shostack <adam at homeport.org> wrote:
> Interesting article.  I wonder how many laptops need to be stolen for
> it to be forseeable.

That's not the issue. The issue is did the company take due care?
Since the regulations like GLBA, HIPAA, SOX 404, and others are so
incredibly vague, the courts look to other things like "best
practices". One way of defininf that is "are they doing what their
peers are doing to protect data." The idea being the collective has a
better idea of a best practice than an individual. Stupid, I know, but
that is the way it is. The courts need to go somewhere for guidance.

I really think the regulations are written in a vacuum. Ever read the
techincal requirements for HIPAA? I doubt that they had any IT input.
I could think of a dozen ways that I would have reqorded each passage
so that it was more specific on the required functions while still
being flexible enough for future use. But that's just me.