BreachExchange mailing list archives
Breach Notification Escape Mechanisms
From: lyger <lyger () attrition org>
Date: Tue, 21 Mar 2006 15:51:49 -0500 (EST)
(commentary on securityfocus.com debit-card fraud article posted earlier) http://www.emergentchaos.com/archives/2006/03/breach_notification_escap.html In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed "security experts" also cites industry notable Avivah Levitan, "[t]here are three cases in which a company suffering a breach can bypass current notification laws". First is if notification would impede an investigation by law enforcement, then: If the stolen data includes identifiable information--such as debit card account numbers and PINs--but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning. Not quite. At least one state has a law that closes the quoted loopholes. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Breach Notification Escape Mechanisms lyger (Mar 21)
- Re: Breach Notification Escape Mechanisms Chris Walsh (Mar 21)