BreachExchange mailing list archives
Discussion regarding breach notification
From: lyger <lyger () attrition org>
Date: Wed, 10 May 2006 00:23:50 -0400 (EDT)
Some topical thoughts and possible material for discussion from Emergent Chaos: http://www.emergentchaos.com/archives/2006/05/breach_notification_the_n.html http://www.emergentchaos.com/archives/2006/05/half_empty.html (from Chris Walsh's post): "I think Adam is too kind to Arizona's new breach law. My issues have to do with how various elements of the law might be interpreted: "materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this term means something "smaller" than it does in the SOX context. I realize this language is present in practically all breach laws, as well as HIPAA, etc. "acquisition and access" -- so if I simply hack in (gain "access"), but the audit trail doesn't show that I did "acquire" PII, you get to keep quiet? How would acquisition be established? "substantial economic loss" -- So credit card numbers are no biggie, since liability is limited to an insubstantial amount? "reasonably likely" -- So, losing the PII of a bunch of people with no credit history, or those who have been demonstrated (by ID Analytics, or even the FTC) to be unlikely victims (like children on public assistance, say) gets you out of notifying?" [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Discussion regarding breach notification lyger (May 09)