[Dataloss] [vanderaj at greebo.net: SF new column announcement: Strict liability for data breaches?]
Adam Shostack
adam at homeport.org
Tue Feb 21 11:35:45 EST 2006
On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote:
| On 2/20/06, Adam Shostack <adam at homeport.org> wrote:
| > Interesting article. I wonder how many laptops need to be stolen for
| > it to be forseeable.
|
| That's not the issue. The issue is did the company take due care?
|
| Since the regulations like GLBA, HIPAA, SOX 404, and others are so
| incredibly vague, the courts look to other things like "best
| practices". One way of defininf that is "are they doing what their
| peers are doing to protect data." The idea being the collective has a
| better idea of a best practice than an individual. Stupid, I know, but
| that is the way it is. The courts need to go somewhere for guidance.
Sure. Doesn't the standard of due care depend (in part) on
foreseeability? Eg, a normal person should forsee that kids will come
play in their pool. IANAL.
Best practices also change quickly--from the introduction of radio to
the time that a ship was expected to have a radio to avoid negligence
wasn't all that long.
| I really think the regulations are written in a vacuum. Ever read the
| techincal requirements for HIPAA? I doubt that they had any IT input.
| I could think of a dozen ways that I would have reqorded each passage
| so that it was more specific on the required functions while still
| being flexible enough for future use. But that's just me.
Yes.
More information about the Dataloss
mailing list