BreachExchange mailing list archives

Re: They Take it Seriously? Oh, Sure - Criminally Liable?

From: "Jeff Walker" <jwalker () absolute com>
Date: Wed, 10 Jan 2007 07:02:13 -0800

Good stuff, guys.

My questions to the experts on data protection laws are:  1) do some states say organizations don't have to disclose a 
breach if the data was encrypted?, and 2) are there differences in disclosure methodology/semantics for an external 
theft versus an internal one?

Thanks in advance!

--jeff 

________________________________

From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of ray.hawkins () comcast 
net
Sent: Wednesday, January 10, 2007 8:50 AM
To: B.K. DeLong; Richard Forno
Cc: dataloss () attrition org
Subject: Re: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable? [faked-from]

My sense is that it has become nothing more than "aw shucks" gotta fess up p.r. vomit.  It may be intersting to see 
how, if any, political winds may shift with the new Congress and whether any cohesive regualtory/statutory bills with 
teeth will pass with the Dems.  Have the prevailing perspectives become that "it is not a matter of 'if' but 'when'" a 
breach or another breach will happen?  Shoring up data privacy controls is a business decision that is being weighed in 
terms of the cost of control and risk mitigation versus the cost absorption of a breach - just another footnote on a 
balance sheet or a single buried line in the annual report.  The "what if" may be whether or not the wascally wabbits 
would weally weally take it seriously (insert Elmer Fudd voice) if they were instead criminally liable for data 
breaches in absence of a defined due diligence in protecting data.  Thoughts?

--
~The Hawk
        -------------- Original message -------------- 
        From: "B.K. DeLong" <bkdelong () pobox com> 

        > That would be an interesting data point to collect - how many 
        > incidents had a corporate wonk saying something to the effect of "very 
        > seriously" or "extremely seriously". 
        > 
        > On 1/10/07, Richard Forno wrote: 
        > > They Take it Seriously? Oh, Sure 
        > > January 9th, 2007 by Dan Gillmor 
        > > 
        > > (I originally wrote this for PR Week magazine.) 
        > > 
        > > Several weeks ago, UCLA acknowledged that some of its computers had been 
        > > hacked. Obeying a state law, it notified more than 800,000 people that their 
        > > personal data, including Social Security numbers, might have ended up in the 
        > > wrong hands. 
        > > 
        > > The fact that the data got loose wasn¹t all that striking. Unfortunately, 
        > > that¹s all too common. What struck me was this statement from a hapless UCLA 
        > > honcho: ³We have a responsibility to safeguard personal information, an 
        > > obligation that we take very seriously.² 
        > > 
        > > When and where have I heard that before? All kinds of times and places, 
        > > actually. It¹s becoming a mantra that means almost nothing. 
        > > 
        > > Try this: Plug ³we take² and ³very seriously² into a Google News or Yahoo 
        > > News search. You¹ll get hundreds of hits, albeit some repeats, where some 
        > > big institution - corporate, educational, government, whatever - makes a 
        > > giant blunder and then issues a ³we take (insert the violated policy) very 
        > > seriously² statement. 
        > > 
        > > < - > 
        > > 
        > > http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/ 
        > > 
        > > 
        > > _______________________________________________ 
        > > Dataloss Mailing List (dataloss () attrition org) 
        > > http://attrition.org/dataloss 
        > > Tracking more than 143 million compromised records in 529 incidents over 6 
        > years. 
        > > 
        > > 
        > > 
        > 
        > 
        > -- 
        > B.K. DeLong (K3GRN) 
        > bkdelong () pobox com 
        > +1.617.797.8471 
        > 
        > http://www.wkdelong.org Son. 
        > http://www.ianetsec.com Work. 
        > http://www.bostonredcross.org Volunteer. 
        > http://www.carolingia.eastkingdom.org Service. 
        > http://bkdelong.livejournal.com Play. 
        > 
        > 
        > PGP Fingerprint: 
        > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE 
        > 
        > FOAF: 
        > http://foaf.brain-stream.org 
        > _______________________________________________ 
        > Dataloss Mailing List (dataloss () attrition org) 
        > http://attrition.org /dataloss 
        > Tracking more than 143 million compromised records in 529 incidents over 6 
        > years. 
        > 
        >

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 143 million compromised records in 530 incidents over 7 years.

Current thread:

Re: They Take it Seriously? Oh, Sure - Criminally Liable? ray . hawkins (Jan 10)
- <Possible follow-ups>
- Re: They Take it Seriously? Oh, Sure - Criminally Liable? Jeff Walker (Jan 10)
  - Re: They Take it Seriously? Oh, Sure - Criminally Liable? Donald Aplin (Jan 10)
    - Re: They Take it Seriously? Oh, Sure - Criminally Liable? George Toft (Jan 11)
    - Re: They Take it Seriously? Oh, Sure - Criminally Liable? Marcus Dolce (Jan 11)
- Re: They Take it Seriously? Oh, Sure - Criminally Liable? DAIL, ANDY (Jan 11)