[Dataloss] Breach Notification Escape Mechanisms
lyger
lyger at attrition.org
Tue Mar 21 15:51:49 EST 2006
(commentary on securityfocus.com debit-card fraud article posted earlier)
http://www.emergentchaos.com/archives/2006/03/breach_notification_escap.html
In a somewhat incendiary piece published today at Securityfocus.com,
Robert Lemos reports on loopholes in notification laws which permit firms
to avoid informing people that their personal information has been
revealed.
According to the article, which along with unnamed "security experts" also
cites industry notable Avivah Levitan, "[t]here are three cases in which a
company suffering a breach can bypass current notification laws". First is
if notification would impede an investigation by law enforcement, then:
If the stolen data includes identifiable information--such as debit
card account numbers and PINs--but not the names of consumers, then a
loophole in the law allows the company who failed to protect the data to
also forego notification. Finally, if the database holding the personal
information was encrypted but the encryption key was also stolen, then the
company responsible for the data can again withhold its warning.
Not quite. At least one state has a law that closes the quoted loopholes.
[...]
More information about the Dataloss
mailing list