BreachExchange mailing list archives
Re: [Dataloss] New Nationwide Breach Law Could Force Data-Centric Security Push
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 15 Jun 2011 18:47:37 -0400
On Tue, Jun 14, 2011 at 3:25 AM, security curmudgeon <jericho () attrition org> wrote:
---------- Forwarded message ---------- From: InfoSec News <alerts () infosecnews org> http://www.darkreading.com/database-security/167901020/security/security-management/230600093/new-nationwide-breach-law-could-force-data-centric-security-push.html By Ericka Chickowski Contributing Writer Dark Reading June 13, 2011 The surge in high-impact data breaches in the first half of 2011 -- and its resulting attention from consumers --is increasing the pressure on federal lawmakers and regulators to introduce nationwide data breach disclosure and protection laws. Though no one is sure what its final language might say, a federal law requiring companies to disclose their breaches has a better chance of passing this year than ever before, and experts believe that enterprises will need to bolster data-centric protection policies and monitoring programs to ready themselves. "It?s likely that any national data breach law will attempt to directly address data security," says Josh Shaul, CTO for Application Security Inc., an application security tool vendor. "This will force organizations to change today?s perimeter-focused IT security model to pay much more attention to protecting sensitive information where it lives in databases and file systems." Making the biggest waves last week was the introduction of the Personal Data Privacy and Security Act by Senator Patrick Leahy, which among other provisions would criminalize the cover-up of a data breach. If such a law introduces federal criminal charges against enterprises that do not disclose breaches in a timely manner, some experts believe that monitoring of account activity and potential breach signs would likely grow in importance.
What worries me about the federal legislation: (1) In some instances, it will probably weaken stronger state laws (2) There are not provisions for class-action suits based on recognizing the data loss as the damage. I think nearly everyone realizes (1) once they think about it. However, for (2): every class action lawsuit stemming from a data breach [which I have read] has been tossed out of court because the victims cannot show damage. Its like a judge saying, "there's no proof that the thief who stole your money spent the money". Law makers and judges don't realize (or acknowledge) the data is the commodity. Victims will have to endure years of anxiety, countless hours lost on "what to do after a loss", and self funded credit monitoring because the law and our courts have chosen to re-victimize the victims. Jeff _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- New Nationwide Breach Law Could Force Data-Centric Security Push security curmudgeon (Jun 15)
- Re: [Dataloss] New Nationwide Breach Law Could Force Data-Centric Security Push Jeffrey Walton (Jun 15)