Re: [Dataloss] New Nationwide Breach Law Could Force Data-Centric Security Push

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jun 14, 2011 at 3:25 AM, security curmudgeon
<jericho () attrition org> wrote:
> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
>
> http://www.darkreading.com/database-security/167901020/security/security-management/230600093/new-nationwide-breach-law-could-force-data-centric-security-push.html
>
> By Ericka Chickowski
> Contributing Writer
> Dark Reading
> June 13, 2011
>
> The surge in high-impact data breaches in the first half of 2011 -- and
> its resulting attention from consumers --is increasing the pressure on
> federal lawmakers and regulators to introduce nationwide data breach
> disclosure and protection laws.
>
> Though no one is sure what its final language might say, a federal law
> requiring companies to disclose their breaches has a better chance of
> passing this year than ever before, and experts believe that enterprises
> will need to bolster data-centric protection policies and monitoring
> programs to ready themselves.
>
> "It?s likely that any national data breach law will attempt to directly
> address data security," says Josh Shaul, CTO for Application Security
> Inc., an application security tool vendor. "This will force organizations
> to change today?s perimeter-focused IT security model to pay much more
> attention to protecting sensitive information where it lives in databases
> and file systems."
>
> Making the biggest waves last week was the introduction of the Personal
> Data Privacy and Security Act by Senator Patrick Leahy, which among other
> provisions would criminalize the cover-up of a data breach. If such a law
> introduces federal criminal charges against enterprises that do not
> disclose breaches in a timely manner, some experts believe that monitoring
> of account activity and potential breach signs would likely grow in
> importance.
What worries me about the federal legislation:

(1) In some instances, it will probably weaken stronger state laws
(2) There are not provisions for class-action suits based on
recognizing the data loss as the damage.

I think nearly everyone realizes (1) once they think about it.
However, for (2): every class action lawsuit stemming from a data
breach [which I have read] has been tossed out of court because the
victims cannot show damage. Its like a judge saying, "there's no proof
that the thief who stole your money spent the money". Law makers and
judges don't realize (or acknowledge) the data is the commodity.
Victims will have to endure years of anxiety, countless hours lost on
"what to do after a loss", and self funded credit monitoring because
the law and our courts have chosen to re-victimize the victims.

Jeff
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/