Do Breach Notification Laws Work?

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: Richard Forno <rforno () infowarrior org>

Do Breach Notification Laws Work?
By Kim Zetter EmailMarch 09, 2009 | 9:00:00 AM

http://blog.wired.com/27bstroke6/2009/03/experts-debate.html

Consumers caught in a national epidemic of data spills are growing numb, 
discarding breach notification letters as junk mail rather than acting to 
protect their identity, experts say.

And though most states now have laws requiring companies to warn breach 
victims, some serious breaches are still showing up on customer credit and 
bank statements before any official warning has been issued. It all begs 
the question: are the notification laws working?

This was the question that a number of speakers at the Security Breach 
Notification seminar held in Berkeley on Friday (at right) tried to 
answer.

When California passed the first data breach notification law in 2003, it 
quickly became the defacto standard for the rest of the country. A total 
of 44 states now have breach notification laws, which vary only slightly 
in their definitions of what constitutes a breach that requires 
notification and what companies must do when they experience a breach.

It's clear that the laws have made the public more aware of breaches and 
the vulnerability of their data, and have exposed poor security practices 
at many businesses. A 2005 study by the FBI showed that in the absence of 
a legal requirement to report breaches, only 20 percent of firms would 
report serious breaches to law enforcement.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss