Interesting People mailing list archives
Breach Notification Loopholes (was Have you stayed at a Radisson since last November?)
From: David Farber <dave () farber net>
Date: Thu, 20 Aug 2009 12:13:34 -0400
Begin forwarded message: From: Ethan Ackerman <eackerma () u washington edu> Date: August 20, 2009 11:45:57 AM EDT To: dave () farber netSubject: Re: [IP] Breach Notification Loopholes (was Have you stayed at a Radisson since last November?)
Reply-To: eackerma () u washington edu Greetings Dave, Gordon's questions about the timing of the Radisson notification show to a little-known but fairly large loophole in many data breach notification laws. Most notification laws have a (mostly sensible) exception that notification isn't required, or in some cases even permitted, if notification would impede an active law enforcement investigation. You don't want to tip off an active intruder if there's a good chance the cops are working to catch him. Realizing that data breach notification laws were passing in almost every state, lobbyists for those opposed to such laws seized on this provision to water down the bills. As a result many notification laws now allow _the breached company_ to decide whether notification would interfere with an investigation. In other cases, a company could indefinitely avoid notification even after an investigation is completed, on the grounds of the initial (but completed) investigation. Some states even granted a related exception to notification if the company determined after an investigation that a breach wasn't "material" (in the company's opinion). A few states are moving to tighten some of these loopholes. For example, Maine just amended its law to require notice within 7 days after law enforcement officials give the all clear.see privacylaw.proskauer.com/2009/05/articles/security-breach- notification-l/seven-days-is-all-she-wrote-/
On Thu, Aug 20, 2009 at 10:49 AM, David Farber<dave () farber net> wrote:
Begin forwarded message: From: Gordon Syme <gordon () twiceasgood net> Date: August 20, 2009 4:45:24 AM EDT To: dave () farber net Subject: Re: [IP] Have you stayed at a Radisson since last November? Prof. Farber, for IP if you deem fit On Wed, 2009-08-19 at 14:28 -0400, David Farber wrote:Begin forwarded message: From: Randall <rvh40 () insightbb com> Date: August 19, 2009 2:16:40 PM EDT To: David Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com, johnmacsgroup () yahoogroups comSubject: Have you stayed at a Radisson since last November? http://www.radisson.com/openletter/openletter-faq.html What happened? When did it happen? Between November 2008 and May 2009, the computer systems of some Radisson® hotels in the U.S. and Canada were accessed without authorization. This unauthorized access was in violation of both civil and criminal laws. Radisson has been coordinating with federal law enforcement to assist in their investigation of this incident. Why didn't you notify me sooner? Working closely with law enforcement and forensic investigators, it has taken some time to analyze the origins and extent of the unauthorized access.Why not notify people immediately when the breach is discovered? The "origins and extent" of the breach don't materially affect any of the individuals whose personal information may have been compromised. Theimportant thing here is that the information was compromised. Are theseaffected people really going to take different measures based on where their information went? The text of the letter makes it seem like the breach was discovered inMay 2009. It is now August, giving the bad guys at least two full monthsto work with the information they acquired.Surely the responsible approach is notify everybody immediately and workout exactly what happened later? Better to notify too many people quickly than notify exactly the affected people after their personal information has already been put to nefarious purposes. -Gordon ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Breach Notification Loopholes (was Have you stayed at a Radisson since last November?) David Farber (Aug 20)