Re: Knock, knock. Who's there? No one.

["Al Mac Wow" <macwheel99 () wowway com>]

Instead of 48 hours warning, make it 2 business days.  This is because it is
quite common for companies decision makers to become incommunicado, from
their own employees, during weekends and holidays, where the people left
behind are not authorized to respond to anything outside normal business
activities.

Not all institutions have a public web site, especially smaller companies,
whose sales are not to consumers, but within an industry.  Most of those
institutions have a payroll system, where they can easily have over 50
employees personal identification info at risk of breach.

Some institutions do not have a responsible person, as defined by this
proposed law.  They may have someone, who wears many hats, one of which is
cyber security, perhaps once a month attend to that detail.  They may rely
upon outside consultants, not on call duty all the time, but only called
when top management thinks there is a problem worthy of calling them.

Companies can setup e-mail systems, with various names of "responsible
parties" in charge of various duties, which are forwarded to the current
real people in those jobs, then with turn-over, and not much in the way of a
computer department, those "responsible parties" e-mail addresses can become
no-one home.

There needs to be an alternative way for institutions, without web sites,
nor persons with cyber security responsibilities, to accept breach reports.
I suggest: fax machine; snail mail address; company lawyer firm contact
info; company auditors identified.

How can an institution have a breach if they do not have a web site?
They can have computers connected to the Internet, via e-mail, FTP, VPN,
WiFi, many other communication protocols.  They can have dumpsters open to
dumpster diving. They can have weaknesses in physical security.  They can
have auditors, or other 3rd party access to their data, which have break
downs in security.

Many web sites are not intended to accept comments.  Some government web
sites are like that.  They exist only to broadcast info to the public.

I tried to post the above as comments to
http://www.databreaches.net/?p=26909 
But my connection timed out, several times.

Al Mac (WOW) = Alister William Macintyre

<<attachment: winmail.dat>>

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.