BreachExchange mailing list archives
Re: Reporting Dataloss
From: Chris Walsh <chris () cwalsh org>
Date: Sat, 3 May 2008 17:43:19 -0500
If this happened in my school district, I would notify the Superintendent of Schools, and try to obtain in writing the reason for not notifying. I would then follow up explaining why I thought this approach was mistaken. If this was not persuasive, I would then attend the next school board meeting, and when the agenda item for all other business (or public comment) came along, I would calmly restate the facts in detail, and ask for Board comment. I would also make sure that my remarks were reflected in the minutes (FOIA the minutes after the meeting if you have to, go to the next meeting, and ask that they be corrected if your remark is not on the record). Often, even in small towns, the press attend such meetings or they are taped and played again and again on public affairs cable stations. I would reserve this level of response only for government bodies, and only as a last resort, only if I was dead certain of the facts, and only if I came upon these "publicly posted" materials entirely in good faith. I would not want to have to explain why issuing an HTTP GET on www.someschool.edu/getrecords?ID=xxxx for numerous values of 'xxxx' is not "hacking". Note that in many states the fact that the *entire* last name was not exposed would, by my reading, allow the entity not to be required to report this to those potentially impacted. I hasten to add that I am not a lawyer. One last note: Read up on the family educational records and privacy act (http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html). It is pretty strict, and may provide you with a persuasive argument to make to the powers that be. On May 3, 2008, at 11:11 AM, Aaron Allen wrote:
Back in November 2007, I uncovered a data breach containing about 7000 partial names, addresses and full SSNs of students that graduated from the public school system from which I graduated in 2002. The data was publicly posted on a website of a vendor that the school had used. So, my question to the list is what is the best way and to whom do you report a data loss event that neither of the responsible parties are willing to disclose?
[ _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Reporting Dataloss Aaron Allen (May 03)
- Re: Reporting Dataloss Sasha Romanosky (May 03)
- Re: Reporting Dataloss Aaron Allen (May 03)
- Re: Reporting Dataloss Sasha Romanosky (May 03)
- Message not available
- Re: Reporting Dataloss Al Mac Wheel (May 03)
- Re: Reporting Dataloss Aaron Allen (May 03)
- Re: Reporting Dataloss Sasha Romanosky (May 03)
- Re: Reporting Dataloss Chris Walsh (May 03)
- <Possible follow-ups>
- Re: Reporting Dataloss Thomas Raef (May 03)