[Dataloss] Discussion regarding breach notification
lyger
lyger at attrition.org
Wed May 10 00:23:50 EDT 2006
Some topical thoughts and possible material for discussion from Emergent
Chaos:
http://www.emergentchaos.com/archives/2006/05/breach_notification_the_n.html
http://www.emergentchaos.com/archives/2006/05/half_empty.html
(from Chris Walsh's post):
"I think Adam is too kind to Arizona's new breach law.
My issues have to do with how various elements of the law might be
interpreted:
"materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff
and my sense of what constitutes materiality has been warped, but I would
need to be reassured that this term means something "smaller" than it does
in the SOX context. I realize this language is present in practically all
breach laws, as well as HIPAA, etc.
"acquisition and access" -- so if I simply hack in (gain "access"), but
the audit trail doesn't show that I did "acquire" PII, you get to keep
quiet? How would acquisition be established?
"substantial economic loss" -- So credit card numbers are no biggie, since
liability is limited to an insubstantial amount?
"reasonably likely" -- So, losing the PII of a bunch of people with no
credit history, or those who have been demonstrated (by ID Analytics, or
even the FTC) to be unlikely victims (like children on public assistance,
say) gets you out of notifying?"
[...]
More information about the Dataloss
mailing list