Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Data Breach Notifications: Time For Tough Love
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 4:56:04 PM
Re: A complicated issue
One of the legitimate challenges companies face in reporting data breaches is the patchwork of laws they face in 46 states, plus the District of Columbia, and US territories.  Even doing the right thing can take a long time to figure out.

There's good reason to worry if the federal government steps in with another layer of regulation, but there's merit in standardizing responses to data breaches for companies and their customers. So there may be some good news in the bill introduced this week by Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework. As they noted, consumers across the country aren't uniformly protected the hodge podge of rules and guidelines cmpanies must follow just aren't that helpful or effective in today's national economy.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:38:26 PM
Re: Competitive differentiator
I thinkPCI-DSS SHOULD  be seen as a third-party certifier and protection for card holder. But based on recent events, we definitely need something more..
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/13/2014 | 12:18:21 AM
Re: Competitive differentiator
Marilyn, I am fully with you - keeping the confidential information in secure and secret place is the basic business requirement. The enterprise should keep this in mind and bear the cost. The third-party certification like the ones issued by CA would be a good choice but the implementation of it should be re-enforced. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:50:44 AM
Re: Competitive differentiator
In today's connected world, retailers must view the job of maintaining the security of their custmers personal identiy information as a cost of doing business. It seems to me that a third-party certification of some sort against some standard -- encryption or other -- would be the best way to do that.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 4:22:13 AM
Re: Competitive differentiator
A low encryption level is better than no encryption. Medium encryption is better than low encryption and so forth. And I take that the higher up we go, the higher will be the cost to deploy encryption. If a state exempts companies from disclosures if they had the data encrypted, it makes sense because it illustrates that the company was thinking about security, but how will a state decide which level of encryption is acceptable.

If a company genuinely cares for security it will not employ the bare minimum that is required by law, but will employ whatever is best based on the level of revenue its service generates, if the bare minimum by law is set too high and SME enterprise cannot earn a profit while enabling encryption then the business will close shop.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 3:46:24 AM
Re: A complicated issue
It is in the business's interest to protect its customers, their data and privacy. Without a sense of security e-commerce would be nonexistent, if the level of security that a firm provides to their customers is high then a breach is going to take extra time to investigate. If a non-encrypted hard disk was stolen then it is easy to report: a hard disk containing usernames etc has been stolen. But if an encrypted hard disk has been stolen it depends on the level of encryption employed and the ability/resources needed to access the information which would determine whether the data containing on the hard disk can even be used in a negative fashion.  
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
2/7/2014 | 7:16:00 PM
Re: A complicated issue
I have never experienced a data loss event in my career, but I can imagine the hardship that would come from it.

You are stuck in the middle of a really bad problem - oftentimes organizations probably don't even know at first the extent of the breach and how they should properly communicate what the problem is.

This is why many comapnies who are confronted with this problem appear to be fumbling around for the right responses - they initially don't know what to sat. 
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Strategist
2/7/2014 | 5:58:10 PM
Re: Competitive differentiator
Or, might it spur more companies to use encryption routinely? Some states exempt companies from disclosure if the data's encrypted.  
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/7/2014 | 12:22:20 PM
Competitive differentiator
I love the parking ticket rule. And, it seems like only a matter of time until businesses spring up that promise NOT to hold any personal data. If I had a choice between Store A that mines the crap out of my info and keeps my CC numbers and Store B that doesn't -- and can prove it via third-party inspection -- guess where I'm shopping.
RichK211
50%
50%
RichK211,
User Rank: Apprentice
2/7/2014 | 10:14:01 AM
Companies That Disclose Crises Protect Reputation
Great idea to mandate disclosure but companies from every industry should want to do that anyway to protect long term reputation and profits. Here are some of my thoughts on the Target matter about how the company handled its public disclosure of the data breach.

http://www.riskandinsurance.com/target-as-target/
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.
CVE-2021-33617
PUBLISHED: 2021-07-31
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid.
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.