[Dataloss] [vanderaj at greebo.net: SF new column announcement:Strict liability for data breaches?]
MariaParedes at financial.wellsfargo.com
MariaParedes at financial.wellsfargo.com
Tue Feb 21 11:59:54 EST 2006
I completely agree on having the IT community provide input on the technical aspects for each of those acts.
Ever since joining this list (less than a month), I've noticed a pattern: the data breaches across the US and the world seem to be a daily issue. Every time I read of another data loss, I question the security and policies of these major corporations in whom so many consumers trust their personal and financial information to.
I believe major changes need to happen in the data security arena and one of those should be to empower (and inform) the billions of affected individuals to take charge and follow suit for any company that mishandles their information. After all, why would I want to trust a company with my personal and/or financial data if they cannot assure me that it will be protected as their most valuable asset?
María G Paredes
OS Analyst
"This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation".
"Este mensaje puede contener información confidencial y/o privilegiada. Si usted no es el destinatario o no está autorizado para recibirlo por parte del destinatario, usted no puede usar, copiar, revelar, o tomar ninguna acción basada en este mensaje o cualquier información en el mismo. Si usted ha recibido este mensaje por error, favor de notificarle al remitente inmediatamente al responder a este correo electrónico y borre este mensaje. Gracias por su cooperación."
-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack
Sent: Tuesday, February 21, 2006 10:36 AM
To: Mike Fratto
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] [vanderaj at greebo.net: SF new column announcement:Strict liability for data breaches?]
On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote:
| On 2/20/06, Adam Shostack <adam at homeport.org> wrote:
| > Interesting article. I wonder how many laptops need to be stolen for
| > it to be forseeable.
|
| That's not the issue. The issue is did the company take due care?
|
| Since the regulations like GLBA, HIPAA, SOX 404, and others are so
| incredibly vague, the courts look to other things like "best
| practices". One way of defininf that is "are they doing what their
| peers are doing to protect data." The idea being the collective has a
| better idea of a best practice than an individual. Stupid, I know, but
| that is the way it is. The courts need to go somewhere for guidance.
Sure. Doesn't the standard of due care depend (in part) on
foreseeability? Eg, a normal person should forsee that kids will come
play in their pool. IANAL.
Best practices also change quickly--from the introduction of radio to
the time that a ship was expected to have a radio to avoid negligence
wasn't all that long.
| I really think the regulations are written in a vacuum. Ever read the
| techincal requirements for HIPAA? I doubt that they had any IT input.
| I could think of a dozen ways that I would have reqorded each passage
| so that it was more specific on the required functions while still
| being flexible enough for future use. But that's just me.
Yes.
_______________________________________________
Dataloss mailing list
Dataloss at attrition.org
https://attrition.org/mailman/listinfo/dataloss
More information about the Dataloss
mailing list