BreachExchange mailing list archives
Re: hard drive destruction
From: Al Mac <macwheel99 () sigecom net>
Date: Thu, 17 Aug 2006 01:41:58 -0500
Remember that SOX only applies to companies doing business in USA that are traded on the stock market. Many large companies are privately held. Looking at recent large breaches Ernst & Young ... multiple breaches with records on different companies * BP employees * Cisco employees * Hotels.com * IBM employees * Nokia employees * Sun Microsystems employees I think they are based in Britain, so different laws may be applicable than those in USA Hummingbird in Canada breached 1,300,000 US students these are public companies in USA American Insurance Group ... 930,000 Automated Data Processing .. hundreds of thousands IBM ... 17,781,462 Marsh Insurance ... 540,000 . I do not believe the American Red Cross is several incidents, big one = 1 million people or American Institute of Certified Public Accountants (330,000) or Vassar Brothers Medical Center (257,800) It might be of interest to know what proportion of breaches occurred at institutions not covered by SOX CFR GLBA HIPPA etc. In other words the only rules that applied to them were the breach disclosure laws, and good governance without any mandate for it.. Alphabet soup of some data security standards http://www.unbeatenpathintl.com/ITstandards/source/1.html I think a large proportion of breaches overall have been at Colleges and Universities. I don't think any of them are covered by SOX. However, the number of victims per academia incident generally smaller compared to incidents by Government and Financial Institutions ... I think the banks are heavily regulated, such as by GLBA, bank regulators, and the credit card standards, and most of them public companies. There's also the question of what industries appear to have avoided having any significant breaches, and the numbers of non-victims (because no breaches) involved there.
This whole security and accountability issue adds a new level of complexity to outsourcing and offshoring IT capabilities. Data breaches aside, when SoX moves from 404 to 409, I cannot help but wonder how some business entities will demonstrate compliance, when all of their physical data handling occurs outside of their physical control. It is deceptively easy to comply with security requirements on paper. Of course The Information Security ISO 17799 and ISO 27001 will add additional levels of complexity. The combination of executive accountability (in terms of actually going to jail) for financial data, and the vulnerability of personal data (often stored on the same systems) will make the next 5 years.... Interesting. Andy Dail Sunoco PCI Project Manager
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 304 incidents over 6 years.
Current thread:
- Re: hard drive destruction, (continued)
- Re: hard drive destruction Angelo Manoloules (Aug 16)
- Re: hard drive destruction blitz (Aug 16)
- Re: hard drive destruction Chris Walsh (Aug 16)
- Re: hard drive destruction Al Mac (Aug 16)
- Re: hard drive destruction *Hobbit* (Aug 16)
- Re: hard drive destruction Joe Francis (Aug 16)
- Re: hard drive destruction George Toft (Aug 17)
- Re: hard drive destruction Joe Francis (Aug 16)
- Re: hard drive destruction DAIL, ANDY (Aug 16)
- Re: hard drive destruction DAIL, ANDY (Aug 16)
- Re: hard drive destruction DAIL, ANDY (Aug 16)
- Message not available
- Re: hard drive destruction Al Mac (Aug 17)
- Message not available