Re: [vanderaj () greebo net: SF new column announcement:Strict liability for data breaches?]

[<MariaParedes () financial wellsfargo com>]

I completely agree on having the IT community provide input on the technical aspects for each of those acts.

Ever since joining this list (less than a month), I've noticed a pattern: the data breaches across the US and the world 
seem to be a daily issue. Every time I read of another data loss, I question the security and policies of these major 
corporations in whom so many consumers trust their personal and financial information to.

I believe major changes need to happen in the data security arena and one of those should be to empower (and inform) 
the billions of affected individuals to take charge and follow suit for any company that mishandles their information. 
After all, why would I want to trust a company with my personal and/or financial data if they cannot assure me that it 
will be protected as their most valuable asset?



María G Paredes
OS Analyst

"This message may contain confidential and/or privileged information. If you are not the addressee or authorized to 
receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise the sender immediately by reply e-mail 
and delete this message. Thank you for your cooperation".  

"Este mensaje puede contener información confidencial y/o privilegiada. Si usted no es el destinatario o no está 
autorizado para recibirlo por parte del destinatario, usted no puede usar, copiar, revelar, o tomar ninguna acción 
basada en este mensaje o cualquier información en el mismo. Si usted ha recibido este mensaje por error, favor de 
notificarle al remitente inmediatamente al responder a este correo electrónico y borre este mensaje. Gracias por su 
cooperación."

-----Original Message-----
From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Adam Shostack
Sent: Tuesday, February 21, 2006 10:36 AM
To: Mike Fratto
Cc: dataloss () attrition org
Subject: Re: [Dataloss] [vanderaj () greebo net: SF new column announcement:Strict liability for data breaches?]

On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote:
| On 2/20/06, Adam Shostack <adam () homeport org> wrote:
| > Interesting article.  I wonder how many laptops need to be stolen for
| > it to be forseeable.
| 
| That's not the issue. The issue is did the company take due care?
|
| Since the regulations like GLBA, HIPAA, SOX 404, and others are so
| incredibly vague, the courts look to other things like "best
| practices". One way of defininf that is "are they doing what their
| peers are doing to protect data." The idea being the collective has a
| better idea of a best practice than an individual. Stupid, I know, but
| that is the way it is. The courts need to go somewhere for guidance.

Sure.  Doesn't the standard of due care depend (in part) on
foreseeability?  Eg, a normal person should forsee that kids will come
play in their pool.  IANAL.

Best practices also change quickly--from the introduction of radio to
the time that a ship was expected to have a radio to avoid negligence
wasn't all that long.

| I really think the regulations are written in a vacuum. Ever read the
| techincal requirements for HIPAA? I doubt that they had any IT input.
| I could think of a dozen ways that I would have reqorded each passage
| so that it was more specific on the required functions while still
| being flexible enough for future use. But that's just me.

Yes.

_______________________________________________
Dataloss mailing list
Dataloss () attrition org
https://attrition.org/mailman/listinfo/dataloss


_______________________________________________
Dataloss mailing list
Dataloss () attrition org
https://attrition.org/mailman/listinfo/dataloss