[Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?

Jeff Walker jwalker at absolute.com
Wed Jan 10 10:02:13 EST 2007 

Good stuff, guys.
 
My questions to the experts on data protection laws are:  1) do some states say organizations don't have to disclose a breach if the data was encrypted?, and 2) are there differences in disclosure methodology/semantics for an external theft versus an internal one?
 
Thanks in advance!
 
 
--jeff 
 
________________________________

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of ray.hawkins at comcast.net
Sent: Wednesday, January 10, 2007 8:50 AM
To: B.K. DeLong; Richard Forno
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable? [faked-from]
 
My sense is that it has become nothing more than "aw shucks" gotta fess up p.r. vomit.  It may be intersting to see how, if any, political winds may shift with the new Congress and whether any cohesive regualtory/statutory bills with teeth will pass with the Dems.  Have the prevailing perspectives become that "it is not a matter of 'if' but 'when'" a breach or another breach will happen?  Shoring up data privacy controls is a business decision that is being weighed in terms of the cost of control and risk mitigation versus the cost absorption of a breach - just another footnote on a balance sheet or a single buried line in the annual report.  The "what if" may be whether or not the wascally wabbits would weally weally take it seriously (insert Elmer Fudd voice) if they were instead criminally liable for data breaches in absence of a defined due diligence in protecting data.  Thoughts?
 
--
~The Hawk
	-------------- Original message -------------- 
	From: "B.K. DeLong" <bkdelong at pobox.com> 
	
	> That would be an interesting data point to collect - how many 
	> incidents had a corporate wonk saying something to the effect of "very 
	> seriously" or "extremely seriously". 
	> 
	> On 1/10/07, Richard Forno wrote: 
	> > They Take it Seriously? Oh, Sure 
	> > January 9th, 2007 by Dan Gillmor 
	> > 
	> > (I originally wrote this for PR Week magazine.) 
	> > 
	> > Several weeks ago, UCLA acknowledged that some of its computers had been 
	> > hacked. Obeying a state law, it notified more than 800,000 people that their 
	> > personal data, including Social Security numbers, might have ended up in the 
	> > wrong hands. 
	> > 
	> > The fact that the data got loose wasn¹t all that striking. Unfortunately, 
	> > that¹s all too common. What struck me was this statement from a hapless UCLA 
	> > honcho: ³We have a responsibility to safeguard personal information, an 
	> > obligation that we take very seriously.² 
	> > 
	> > When and where have I heard that before? All kinds of times and places, 
	> > actually. It¹s becoming a mantra that means almost nothing. 
	> > 
	> > Try this: Plug ³we take² and ³very seriously² into a Google News or Yahoo 
	> > News search. You¹ll get hundreds of hits, albeit some repeats, where some 
	> > big institution - corporate, educational, government, whatever - makes a 
	> > giant blunder and then issues a ³we take (insert the violated policy) very 
	> > seriously² statement. 
	> > 
	> > < - > 
	> > 
	> > http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/ 
	> > 
	> > 
	> > _______________________________________________ 
	> > Dataloss Mailing List (dataloss at attrition.org) 
	> > http://attrition.org/dataloss 
	> > Tracking more than 143 million compromised records in 529 incidents over 6 
	> years. 
	> > 
	> > 
	> > 
	> 
	> 
	> -- 
	> B.K. DeLong (K3GRN) 
	> bkdelong at pobox.com 
	> +1.617.797.8471 
	> 
	> http://www.wkdelong.org Son. 
	> http://www.ianetsec.com Work. 
	> http://www.bostonredcross.org Volunteer. 
	> http://www.carolingia.eastkingdom.org Service. 
	> http://bkdelong.livejournal.com Play. 
	> 
	> 
	> PGP Fingerprint: 
	> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE 
	> 
	> FOAF: 
	> http://foaf.brain-stream.org 
	> _______________________________________________ 
	> Dataloss Mailing List (dataloss at attrition.org) 
	> http://attrition.org /dataloss 
	> Tracking more than 143 million compromised records in 529 incidents over 6 
	> years. 
	> 
	> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070110/8c97e72c/attachment-0001.html

More information about the Dataloss mailing list