Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Privacy: Do We Need a National Data Breach Disclosure Law?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:42:18 PM
Re: Victim Shaming
@Dallas: On this "victim shaming", I'm going to suggest that in some cases it's well deserved. Facebook deserves it now and deserved it in 2012 because of how they have disrespected users and their data for so long. Uber deserves it too, for similar reasons. The healthcare industry DEFINITELY deserves it because they are lagging behind so much -- and because people don't have as much choice about their healthcare providers or insurance carriers. And it's a huge motivator for e-commerce -- because they know that the brand damage will simply cause people to move to another platform (unlike with, say, a bank; people aren't going to en masse move investment accounts and mortgages and credit cards because of a little breach -- especially considering the consumer protections in financial services).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:36:55 PM
Re: Web
Sure, but we ALREADY HAVE numerous state laws here. Federal law on data-breach notification specifically isn't going to add any meaningfully significant privacy protections (unless there was to be a severe cracking down, with far stricter requirements and shorter deadlines than even the strictest states require -- which would have its own drawbacks) except to further confuse compliance officers and confound compliance efforts -- the cost of which get passed on to customers, meaning that these companies now need to sell even MORE user data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2018 | 6:33:37 PM
Let's leave it alone.
I understand the concerns, but at this point, it doesn't matter much. Almost all the states have their own laws here, and the strictest states (effectively MA, CA, and -- where PCI-DSS is concerned -- MN, NV, and WA) effectively create "floors" for national/regional organizations. To put federal law/regulation on top of this all would seriously muck things up even more for compliance efforts, IMHO.



(Disclaimer: This post is provided for informational, educational and/or entertainment purposes only. Neither this nor other posts here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)
DallasBishoff
50%
50%
DallasBishoff,
User Rank: Author
3/28/2018 | 9:00:13 PM
Re: Victim Shaming
It is important to note that most people who provide their privacy information to a third party are doing so for the purpose of receiving a service, or participating in a collective social forum. Many organizations cannot provide the service to an individual without collecting personal information. For instance, any transaction that involves a credit card payment. In that regard, there is no basis for "victim sharing." The individual has done nothing more than picked a service provider. Unfortunately, sometimes these types of data sets are compromised. 

Now, if you are referring to an independent vendor with a data set that includes privacy data, many of them are already very sensitive to the reputation risk associated with a data breach. In a breach, they too are a victim, noting that a compromise may involve a criminal act. However, not all breach scenarios involve criminal acts. There is a long history of data disclosures that are a result of simple human error - an access control mechanism was not implemented properly, and the ability to freely discover and access the data was both possible, and actually occurred. 

In summary, victim shaming is not going to make the landscape better. Problems are solved through addressing the root cause, and not symptomatic attributes. However, thank you for your thoughts. As the author of the article, I hope that you benefited from the perspective presented.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:09:35 PM
Re: Victim Shaming
Yes, we need to do more to protect the data and privacy. I agree. There is a shared responsibility everybody needs to pay attention and do their parts, and then there is criminals we need to go after.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:06:21 PM
Re: Victim Shaming
Easier to go after the victim and blame them for what they could have/should have/might have done differently. This make sense, at the same time when it comes to security it is everybodys responsibility.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:03:59 PM
Re: Victim Shaming
Maybe it's time that we return to criminalizing the criminal instead of the victim This is a good point to raise. Holding the criminal responsible is the way to go.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 7:02:29 PM
Standard
They contend a federal standard would simplify compliance and make the threshold for disclosure clear to businesses and consumers alike. This may be good to get early notification when there is a breach, if you remember yahoo, they reported it 4 years later.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 6:59:10 PM
Two seconds
In the US, an identity is compromised every two seconds. This is really very scary to hear. There has to be a better way to manage security of our indentity
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/28/2018 | 6:55:43 PM
PII
We have healthcare laws that address privacy, but only when the privacy data is protected health information, a form of PII. PII may apply outside of healthcare as far as I understood, for healthcare there is PHI protection.
Page 1 / 2   >   >>


Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.