Discussion regarding breach notification

[lyger <lyger () attrition org>]

Some topical thoughts and possible material for discussion from Emergent 
Chaos:

http://www.emergentchaos.com/archives/2006/05/breach_notification_the_n.html

http://www.emergentchaos.com/archives/2006/05/half_empty.html

(from Chris Walsh's post):

"I think Adam is too kind to Arizona's new breach law.

My issues have to do with how various elements of the law might be 
interpreted:

"materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff 
and my sense of what constitutes materiality has been warped, but I would 
need to be reassured that this term means something "smaller" than it does 
in the SOX context. I realize this language is present in practically all 
breach laws, as well as HIPAA, etc.

"acquisition and access" -- so if I simply hack in (gain "access"), but 
the audit trail doesn't show that I did "acquire" PII, you get to keep 
quiet? How would acquisition be established?

"substantial economic loss" -- So credit card numbers are no biggie, since 
liability is limited to an insubstantial amount?

"reasonably likely" -- So, losing the PII of a bunch of people with no 
credit history, or those who have been demonstrated (by ID Analytics, or 
even the FTC) to be unlikely victims (like children on public assistance, 
say) gets you out of notifying?"

[...]

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/