[Dataloss] Suggestion for changing status quo on data losses

[Sean Steele]

Arshad, I believe the plan/advice/activism you outline below is done in
earnest but it strikes me as hopelessly naive (and I don't mean that in
a pejorative way). I live and work in Washigton, DC and this is my
take...

For starters, what's our goal beyond acting to "shake [legislators] up"?
The only concrete action that a legislator can conduct is to either
create, contribute to, or vote on policy/law/legislation. Are we seeking
more legislation? What sort of legislation and to what end? What new
act(s) of Congress will affect data protection and data stewardship
beyond the collective GLBA/HIPAA/SOX/FISMA/etc. we already have in
place? Should we move to legislate the provisions of PCI-DSS (a set of
industry regulations for the payment card industry), for example?

My guess is we have enough compliance requirements already, but we
haven't properly ENFORCED them with the Executive Branch (the White
House and its executive agencies like DOJ, FBI, DHHS, DHS, DOC, etc.).
Enforcement should and can come through either the "carrot" (financial
incentives for no data breaches, etc.) or the "stick" (criminal
penalties, civil fines, suspension of business operations, etc.)

I believe this past month we saw the first instance of the US Dept. of
Health & Human Services (DHHS), Office of Civil Rights (OCR), the HIPAA
security enforcement office, actually levying fines and penalties for a
HIPAA security violation that amounted to at least $100,000:
http://www.healthcareitnews.com/story.cms?id=9610&page=1.

This is in the more than 3 years since most covered entities became
fully subject to HIPAA security compliance requirements.

With all this said, it can't hurt. I just don't think Congress is where
we want to be lobbying -- we should wait for the new Administration and
direct our efforts squarely at the enforcement agencies, auditors, and
"watchdogs".

Best,

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
703.504.9000 x219  direct
202.270.8672  mobile
ssteele at infolocktech.com

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
Sent: Friday, August 01, 2008 4:09 PM
To: dataloss at attrition.org
Subject: [Dataloss] Suggestion for changing status quo on data losses

In light of the exemplary work the people behind this listserv
do, and the educational service they provide, I would like to
suggest taking this a step further so we can stem this deluge
of data losses we are subjected to every day.

I propose that attrition.org make up a dedicated list of every
US Senator and Congressman, and email them every single data-
loss announcement.

It is my sincere belief that US-based politicians have their
heads in the sand about the gravity of this problem, as do most
people on the street.  However,the media is also to blame.  (I 
live in Silicon Valley and I do not recall seeing any news item 
about the 80-million birthdates exposed by Facebook or the 
password breaches at the iTunes web site in the newspaper here;
but for this and another forum, even I would be clue-less).

However, if this listserv notifies every US Senator & Congress
person about every breach that we see, then they/their staffers 
can hardly claim they didn't realize how bad the situation is.  
The once a year report put out by the FTC is good for soundbites,
but the daily reports of the losses ought to shake them up.  If
not, I suggest letting them know with your vote this November.
(I intend to).

Arshad Noor
StrongAuth, Inc.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml