BreachExchange mailing list archives
Re: Suggestion for changing status quo on data losses
From: "Sean Steele" <SSteele () infolocktech com>
Date: Fri, 1 Aug 2008 17:06:44 -0400
Arshad, I believe the plan/advice/activism you outline below is done in earnest but it strikes me as hopelessly naive (and I don't mean that in a pejorative way). I live and work in Washigton, DC and this is my take... For starters, what's our goal beyond acting to "shake [legislators] up"? The only concrete action that a legislator can conduct is to either create, contribute to, or vote on policy/law/legislation. Are we seeking more legislation? What sort of legislation and to what end? What new act(s) of Congress will affect data protection and data stewardship beyond the collective GLBA/HIPAA/SOX/FISMA/etc. we already have in place? Should we move to legislate the provisions of PCI-DSS (a set of industry regulations for the payment card industry), for example? My guess is we have enough compliance requirements already, but we haven't properly ENFORCED them with the Executive Branch (the White House and its executive agencies like DOJ, FBI, DHHS, DHS, DOC, etc.). Enforcement should and can come through either the "carrot" (financial incentives for no data breaches, etc.) or the "stick" (criminal penalties, civil fines, suspension of business operations, etc.) I believe this past month we saw the first instance of the US Dept. of Health & Human Services (DHHS), Office of Civil Rights (OCR), the HIPAA security enforcement office, actually levying fines and penalties for a HIPAA security violation that amounted to at least $100,000: http://www.healthcareitnews.com/story.cms?id=9610&page=1. This is in the more than 3 years since most covered entities became fully subject to HIPAA security compliance requirements. With all this said, it can't hurt. I just don't think Congress is where we want to be lobbying -- we should wait for the new Administration and direct our efforts squarely at the enforcement agencies, auditors, and "watchdogs". Best, -- Sean Steele, CISSP, CISA Sr. Security Consultant infoLock Technologies 703.504.9000 x219 direct 202.270.8672 mobile ssteele () infolocktech com -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Arshad Noor Sent: Friday, August 01, 2008 4:09 PM To: dataloss () attrition org Subject: [Dataloss] Suggestion for changing status quo on data losses In light of the exemplary work the people behind this listserv do, and the educational service they provide, I would like to suggest taking this a step further so we can stem this deluge of data losses we are subjected to every day. I propose that attrition.org make up a dedicated list of every US Senator and Congressman, and email them every single data- loss announcement. It is my sincere belief that US-based politicians have their heads in the sand about the gravity of this problem, as do most people on the street. However,the media is also to blame. (I live in Silicon Valley and I do not recall seeing any news item about the 80-million birthdates exposed by Facebook or the password breaches at the iTunes web site in the newspaper here; but for this and another forum, even I would be clue-less). However, if this listserv notifies every US Senator & Congress person about every breach that we see, then they/their staffers can hardly claim they didn't realize how bad the situation is. The once a year report put out by the FTC is good for soundbites, but the daily reports of the losses ought to shake them up. If not, I suggest letting them know with your vote this November. (I intend to). Arshad Noor StrongAuth, Inc. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- RD on USG laptop insecurity Richard Forno (Aug 01)
- Suggestion for changing status quo on data losses Arshad Noor (Aug 01)
- Re: Suggestion for changing status quo on data losses security curmudgeon (Aug 01)
- Re: Suggestion for changing status quo on data losses Adam Shostack (Aug 01)
- Re: Suggestion for changing status quo on data losses lyger (Aug 01)
- Re: Suggestion for changing status quo on data losses Arshad Noor (Aug 02)
- Re: Suggestion for changing status quo on data losses Arshad Noor (Aug 02)
- Re: Suggestion for changing status quo on data losses DAIL, WILLARD A (Aug 04)
- Re: Suggestion for changing status quo on data losses security curmudgeon (Aug 01)
- Re: Suggestion for changing status quo on data losses Sean Steele (Aug 01)
- Suggestion for changing status quo on data losses Arshad Noor (Aug 01)
- Re: RD on USG laptop insecurity Chris Walsh (Aug 01)
- Re: RD on USG laptop insecurity macwheel99 (Aug 01)