BreachExchange mailing list archives
Fw: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
From: "Mitch Tanenbaum - MC" <mtanenbaum () mercurycompanies com>
Date: Fri, 6 Jun 2008 17:34:56 -0600
Two things I am guessing that the data includes customers from most of the 50 states given this is a major bank so the rules get very mushy given it is controlled by the state of residency. Second, some states like NY, do do not have an encryption exclusion at all. Mitch ----- Original Message ----- From: dataloss-bounces () attrition org <dataloss-bounces () attrition org> To: security curmudgeon <jericho () attrition org> Cc: dataloss () attrition org <dataloss () attrition org> Sent: Fri Jun 06 17:13:39 2008 Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) ----- Original Message ----- From: "security curmudgeon" <jericho () attrition org> To: dataloss () attrition org Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Taking this one step farther, what if the tape *is* encrypted using really strong encryption and the tape is lost. Does the company have to warn customers? Certainly not in California. The Breach Disclosure law (originally SB-1386) provides a safe-harbor for encrypted data. Not sure what the other 42 US states do, but they modeled their laws along the lines of California's to the best of my knowledge. If not, will that lead to companies claiming strong encryption regardless,.... This is a weakness in all Breach Disclosure laws. They do not specify the type of encryption. While I agree that lawmakers are not the most qualified people to determine appropriate ciphers, they could have at least pointed to NIST standards as the minimum. That would have given us 3DES and AES encryption. Right now, we have nothing. Very short- sighted. Arshad Noor StrongAuth, Inc. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Marjorie Simmons (Jun 06)
- <Possible follow-ups>
- Fw: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Mitch Tanenbaum - MC (Jun 06)
- Re: Fw: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost) Chris Walsh (Jun 06)