[Dataloss] [vanderaj at greebo.net: SF new column announcement: Strict liability for data breaches?]

Adam Shostack adam at homeport.org
Tue Feb 21 11:35:45 EST 2006


On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote:
| On 2/20/06, Adam Shostack <adam at homeport.org> wrote:
| > Interesting article.  I wonder how many laptops need to be stolen for
| > it to be forseeable.
| 
| That's not the issue. The issue is did the company take due care?
|
| Since the regulations like GLBA, HIPAA, SOX 404, and others are so
| incredibly vague, the courts look to other things like "best
| practices". One way of defininf that is "are they doing what their
| peers are doing to protect data." The idea being the collective has a
| better idea of a best practice than an individual. Stupid, I know, but
| that is the way it is. The courts need to go somewhere for guidance.

Sure.  Doesn't the standard of due care depend (in part) on
foreseeability?  Eg, a normal person should forsee that kids will come
play in their pool.  IANAL.

Best practices also change quickly--from the introduction of radio to
the time that a ship was expected to have a radio to avoid negligence
wasn't all that long.

| I really think the regulations are written in a vacuum. Ever read the
| techincal requirements for HIPAA? I doubt that they had any IT input.
| I could think of a dozen ways that I would have reqorded each passage
| so that it was more specific on the required functions while still
| being flexible enough for future use. But that's just me.

Yes.


More information about the Dataloss mailing list