Re: Do Breach Notification Laws Work?

[bethg () privacyrights org]

The journalist who wrote the story failed to mention that public interest
groups like ours, along with other nonprofits, DO pay attention to
information about breaches. We in turn are in touch with lawmakers,
regulators, and their staff members. Breach notices are not lost on us.
    The states with laws that require breached entities to notify a
central authority in their state have taken the best approach, in my
opinion. And best of all is when those state authorities post the info
on a web site.
Beth Givens
Privacy Rights Clearinghouse

> > breach notification letters as junk mail rather than acting to
> > protect their identity, experts say.
> It's unfortunate that consumer behavior is so predictable. Over
> exposure has lead to apathy in most cases. It's been an Achilles heel
> for a lot of security initiatives: browser warnings, problematic
> certificates, site redirection, etc. Users just click OK to keep
> drilling on... Many do not even take the time to read the warning
> message. Most who do read the warning do not understand it because
> security folks and programmers are the author of the warning. Mom and
> Grandpop have no idea of what is being said in most instances.
>
> On 3/12/09, security curmudgeon <jericho () attrition org> wrote:
> > ---------- Forwarded message ----------
> > From: Richard Forno <rforno () infowarrior org>
> >
> > Do Breach Notification Laws Work?
> > By Kim Zetter EmailMarch 09, 2009 | 9:00:00 AM
> >
> > http://blog.wired.com/27bstroke6/2009/03/experts-debate.html
> >
> > Consumers caught in a national epidemic of data spills are growing numb,
> > discarding breach notification letters as junk mail rather than acting
> > to
> > protect their identity, experts say.
> >
> > And though most states now have laws requiring companies to warn breach
> > victims, some serious breaches are still showing up on customer credit
> > and
> > bank statements before any official warning has been issued. It all begs
> > the question: are the notification laws working?
> >
> > This was the question that a number of speakers at the Security Breach
> > Notification seminar held in Berkeley on Friday (at right) tried to
> > answer.
> >
> > When California passed the first data breach notification law in 2003,
> > it
> > quickly became the defacto standard for the rest of the country. A total
> > of 44 states now have breach notification laws, which vary only slightly
> > in their definitions of what constitutes a breach that requires
> > notification and what companies must do when they experience a breach.
> >
> > It's clear that the laws have made the public more aware of breaches and
> > the vulnerability of their data, and have exposed poor security
> > practices
> > at many businesses. A 2005 study by the FBI showed that in the absence
> > of
> > a legal requirement to report breaches, only 20 percent of firms would
> > report serious breaches to law enforcement.
> >
> > [..]
> > _______________________________________________
> > Dataloss Mailing List (dataloss () datalossdb org)
> >
> > CREDANT Technologies, a leader in data security, offers advanced data
> > encryption solutions.
> > Protect sensitive data on desktops, laptops, smartphones and USB sticks
> > transparently
> > across your enterprise to ensure regulatory compliance.
> > http://www.credant.com/stopdataloss
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> CREDANT Technologies, a leader in data security, offers advanced data
> encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB sticks
> transparently
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss