Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Breach Notifications: Time For Tough Love
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
2/18/2014 | 4:56:04 PM
Re: A complicated issue
One of the legitimate challenges companies face in reporting data breaches is the patchwork of laws they face in 46 states, plus the District of Columbia, and US territories.  Even doing the right thing can take a long time to figure out.

There's good reason to worry if the federal government steps in with another layer of regulation, but there's merit in standardizing responses to data breaches for companies and their customers. So there may be some good news in the bill introduced this week by Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework. As they noted, consumers across the country aren't uniformly protected the hodge podge of rules and guidelines cmpanies must follow just aren't that helpful or effective in today's national economy.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:38:26 PM
Re: Competitive differentiator
I thinkPCI-DSS SHOULD  be seen as a third-party certifier and protection for card holder. But based on recent events, we definitely need something more..
Li Tan
Li Tan,
User Rank: Apprentice
2/13/2014 | 12:18:21 AM
Re: Competitive differentiator
Marilyn, I am fully with you - keeping the confidential information in secure and secret place is the basic business requirement. The enterprise should keep this in mind and bear the cost. The third-party certification like the ones issued by CA would be a good choice but the implementation of it should be re-enforced. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:50:44 AM
Re: Competitive differentiator
In today's connected world, retailers must view the job of maintaining the security of their custmers personal identiy information as a cost of doing business. It seems to me that a third-party certification of some sort against some standard -- encryption or other -- would be the best way to do that.
User Rank: Apprentice
2/10/2014 | 4:22:13 AM
Re: Competitive differentiator
A low encryption level is better than no encryption. Medium encryption is better than low encryption and so forth. And I take that the higher up we go, the higher will be the cost to deploy encryption. If a state exempts companies from disclosures if they had the data encrypted, it makes sense because it illustrates that the company was thinking about security, but how will a state decide which level of encryption is acceptable.

If a company genuinely cares for security it will not employ the bare minimum that is required by law, but will employ whatever is best based on the level of revenue its service generates, if the bare minimum by law is set too high and SME enterprise cannot earn a profit while enabling encryption then the business will close shop.
User Rank: Apprentice
2/10/2014 | 3:46:24 AM
Re: A complicated issue
It is in the business's interest to protect its customers, their data and privacy. Without a sense of security e-commerce would be nonexistent, if the level of security that a firm provides to their customers is high then a breach is going to take extra time to investigate. If a non-encrypted hard disk was stolen then it is easy to report: a hard disk containing usernames etc has been stolen. But if an encrypted hard disk has been stolen it depends on the level of encryption employed and the ability/resources needed to access the information which would determine whether the data containing on the hard disk can even be used in a negative fashion.  
User Rank: Apprentice
2/7/2014 | 7:16:00 PM
Re: A complicated issue
I have never experienced a data loss event in my career, but I can imagine the hardship that would come from it.

You are stuck in the middle of a really bad problem - oftentimes organizations probably don't even know at first the extent of the breach and how they should properly communicate what the problem is.

This is why many comapnies who are confronted with this problem appear to be fumbling around for the right responses - they initially don't know what to sat. 
User Rank: Strategist
2/7/2014 | 5:58:10 PM
Re: Competitive differentiator
Or, might it spur more companies to use encryption routinely? Some states exempt companies from disclosure if the data's encrypted.  
Lorna Garey
Lorna Garey,
User Rank: Ninja
2/7/2014 | 12:22:20 PM
Competitive differentiator
I love the parking ticket rule. And, it seems like only a matter of time until businesses spring up that promise NOT to hold any personal data. If I had a choice between Store A that mines the crap out of my info and keeps my CC numbers and Store B that doesn't -- and can prove it via third-party inspection -- guess where I'm shopping.
User Rank: Apprentice
2/7/2014 | 10:14:01 AM
Companies That Disclose Crises Protect Reputation
Great idea to mandate disclosure but companies from every industry should want to do that anyway to protect long term reputation and profits. Here are some of my thoughts on the Target matter about how the company handled its public disclosure of the data breach.

Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-30
Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with sh...
PUBLISHED: 2022-06-30
There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution.
PUBLISHED: 2022-06-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3414. Reason: This candidate is a duplicate of CVE-2012-3414. Notes: All CVE users should reference CVE-2012-3414 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental u...
PUBLISHED: 2022-06-30
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to ...
PUBLISHED: 2022-06-30
Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R...