The law hasn't kept up, the regulators haven't kept up, and you're going to get a different opinion from every judge.
[...]
In the end, businesses are guilty until proven innocent.
-- Avivah Litan, VP & Distinguished Analyst at Gartner Research
Showing posts with label legal. Show all posts
Showing posts with label legal. Show all posts
QOTD - Litan on Online Bank Fraud
QOTD on Fighting Breaches
The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach.
-- Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation.
QOTD on Big Brother's Little Brother
In the past we only worried about Big Brother governments assembling detailed dossiers about us. Then came what privacy advocates called Little Brother – corporations that collect data from their customers.
-- Don Tapscott and Anthony D. Williams
Src: CTV News | Social media's unexpected threat
QOTD on Social Networks
Anyone who visits a social networking site should know that it's a business model. The service is not free. We users pay for it with our private data.
-- Ilse Aigner, Germany's Consumer Minister
Src: German minister calls for Internet 'honour code'
QOTD - EU Justice Commissioner on Privacy Laws
We need to find ways to empower web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. -- Viviane Reding, EU Justice CommissionerSrc: EU Data-Protection Laws Need Revamping for Internet Privacy, Reding Says - Bloomberg
QOTD on Passwords & Lemons
Because ordinary users are unlikely to spot the difference between high and low-quality password implementations, password security in websites can be modelled as a lemons market. In applying this model, insecure sites can beat secure sites in the market with lower deployment costs if password security offers no advantage in gaining users.
Src: The password thicket: technical and market failures in human authentication on the web, Ninth Workshop on the Economics of Information Security (WEIS 2010), 7-8 June 2010, Harvard / USA, 2010.
QOTD on Privacy & Internet
We're at a very early stage right now of figuring out how do we keep the Internet as a space where individuals can be empowered, yet at the same time [make sure that] it doesn't turn into a place where people are just attacking each other and bringing down each other's systems. -- Rebecca MacKinnon of Princeton University's Center for Information Technology PolicySrc: Does Averting Cyberwar Mean Giving Up Web Privacy? : NPR
QOTD on Possible Federal Data Breach Law
Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn't make sense from a cost or efficiency point of view. I'd hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. -- Phil Neray, VP of GuardiumSrc: Federal data breach notification standard must pre-empt state laws | Nextgov
QOTD - Schmidt on Current Laws
We still have 18th century laws looking at 21st century technologies – that needs to be changed. -- Howard Schmidt, ISF President & CEO.Src: RSA Europe: Two-factor authentication is worth nothing, says executive director, EEMA | Infosecurity (UK)
QOTD on Privacy
Privacy is an essential freedom that shapes our society, an internationally recognized human right, and the foundation of modern democracy, but if we don’t value our privacy or stand up for it as our right, it will be eroded over time. -- Office of the Privacy Commissioner of CanadaSrc: Maintaining your privacy continues to be a challenge every day | Sault This Week
QOTD - Pescatore on Lawsuits & Executives
There is always a hope in security circles that threats such as class action lawsuits or 'downstream liability' will cause a light bulb to go off in boards of directors' heads and they will say 'Aha - information security is important, increase the budget, promote the CISO!!' In reality, when boards hear 'liability' they tend to mostly make sure that the corporate Directors and Officers Liability insurance coverage is sufficient. The actual business damage of incidents is usually the bigger driver for action by boards of directors. -- John Pescatore, Vice President at Gartner Inc., writing about Aetna being named in a class action data breach lawsuit.Src: SANS Institute - SANS NewsBites Vol 11 Num 46
QOTD on Laws & Technology
We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner GroupSrc: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls
Warner Touts E-Medical Data Despite Hacker Attack
One of the keys is how we ensure security and privacy. Just as we see that in financial records you can never get 100 percent protection, we have a very efficiently functioning system around financial records (and) around other critical information. -- US Senator Mark WarnerThe recent news about a hacker gaining access to the State of Virginia's Prescription Monitoring Program highlights the differences, not the similarities, between the financial system and the health care system. In the financial system, money has no intrinsic value as all dollar bills are dollar bills; if your account is compromised and you are not the culprit, your account's balance will be restored in time.
In the case of electronic medical records, the records contain a detailed report of your health history, your prescription history, and possibly your mental health history. Health care data has intrinsic value; once stolen, that information can not only be used to commit prescription fraud and medical procedure reimbursement fraud, but long-term, it can be used to take advantage of you and those around you.
The article goes on to say that "frustrated lawmakers wanted to know why a firewall put in place by the Virginia Information Technologies Agency and its contractors didn't foil the attack." This statement illustrates how little the average lawmaker knows about the current level of threats to electronic data. Unfortunately, while your credit card can be closed and a new number re-issued, your health care records cannot.
Src: Warner Touts E-Medical Data Despite Hacker Attack | NYTimes.com
QOTD - Honan on Cybercrime and the courts
The fight against cyber crime will continue to be an uphill struggle if courts continue to signal to criminals that cyber crime is not treated seriously. -- Brian Honan, member editorial board of SANS NewsBites & independent security consultant based in Dublin, IrelandSrc: SANS NewsBites vol 11 Num 28
When your data centers vanishes
Your company has SLAs in place, servers and databases hosted in a reliable data center with redundant power, many days/weeks of backup generator fuel, etc. You're set, right?
Companies who had used a data center called Core IP Networks, recently raided by the FBI, are suddenly finding themselves with nothing. No data center, no servers, no backups, no data and a therefore a lot of angry customers (who may not remain customers for long).
Matthew Simpson, CEO of Core IP Networks said: "If you run a data center, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason."
Lesson of the day? Check your options before putting all your eggs in the same basket.
Src1: Company Caught in Texas Data Center Raid Loses Suit Against FBI | Wired.com
Src2: FBI Defends Disruptive Raids on Texas Data Centers | Wired.com
Companies who had used a data center called Core IP Networks, recently raided by the FBI, are suddenly finding themselves with nothing. No data center, no servers, no backups, no data and a therefore a lot of angry customers (who may not remain customers for long).
Matthew Simpson, CEO of Core IP Networks said: "If you run a data center, please be aware that in our great country, the FBI can come into your place of business at any time and take whatever they want, with no reason."
Lesson of the day? Check your options before putting all your eggs in the same basket.
Src1: Company Caught in Texas Data Center Raid Loses Suit Against FBI | Wired.com
Src2: FBI Defends Disruptive Raids on Texas Data Centers | Wired.com
QOTD - Schneier on data breach laws
The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control – or even knowledge – of the company's security practices. -- Bruce SchneierYears ago, I had the chance to attend a presentation by Bruce Schneier where he covered the various drivers to improve information security (legislation, insurance, loss of costumers). In this article, Bruce expands on the need for data breach notification laws and makes the case for stronger authentication around the use of credit (to mitigate ID theft).
Why security breach notification laws are a good thing | OUT-LAW.COM
QOTD - Alan Paller on due care and cyber lawsuits
Alan Paller, Director of Research at the SANS Institute, wrote the editorial opinion on the recent lawsuits against RBS (Royal Bank of Scotland), Heartland Payment Systems, and the US Veterans Administration:
Since security probably will never be perfect, what is needed is a minimum standard of due care that agencies, companies, and courts can use to determine how much and what kind of investment in security is 'enough'. -- Alan Paller, Director of Research at the SANS InstituteSrc: SANS NewsBites Vol 11 Num 14
Subscribe to:
Posts (Atom)
