Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Data Breach Notifications: Time For Tough Love
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 4:56:04 PM
Re: A complicated issue
One of the legitimate challenges companies face in reporting data breaches is the patchwork of laws they face in 46 states, plus the District of Columbia, and US territories.  Even doing the right thing can take a long time to figure out.

There's good reason to worry if the federal government steps in with another layer of regulation, but there's merit in standardizing responses to data breaches for companies and their customers. So there may be some good news in the bill introduced this week by Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework. As they noted, consumers across the country aren't uniformly protected the hodge podge of rules and guidelines cmpanies must follow just aren't that helpful or effective in today's national economy.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:38:26 PM
Re: Competitive differentiator
I thinkPCI-DSS SHOULD  be seen as a third-party certifier and protection for card holder. But based on recent events, we definitely need something more..
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/13/2014 | 12:18:21 AM
Re: Competitive differentiator
Marilyn, I am fully with you - keeping the confidential information in secure and secret place is the basic business requirement. The enterprise should keep this in mind and bear the cost. The third-party certification like the ones issued by CA would be a good choice but the implementation of it should be re-enforced. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:50:44 AM
Re: Competitive differentiator
In today's connected world, retailers must view the job of maintaining the security of their custmers personal identiy information as a cost of doing business. It seems to me that a third-party certification of some sort against some standard -- encryption or other -- would be the best way to do that.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 4:22:13 AM
Re: Competitive differentiator
A low encryption level is better than no encryption. Medium encryption is better than low encryption and so forth. And I take that the higher up we go, the higher will be the cost to deploy encryption. If a state exempts companies from disclosures if they had the data encrypted, it makes sense because it illustrates that the company was thinking about security, but how will a state decide which level of encryption is acceptable.

If a company genuinely cares for security it will not employ the bare minimum that is required by law, but will employ whatever is best based on the level of revenue its service generates, if the bare minimum by law is set too high and SME enterprise cannot earn a profit while enabling encryption then the business will close shop.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 3:46:24 AM
Re: A complicated issue
It is in the business's interest to protect its customers, their data and privacy. Without a sense of security e-commerce would be nonexistent, if the level of security that a firm provides to their customers is high then a breach is going to take extra time to investigate. If a non-encrypted hard disk was stolen then it is easy to report: a hard disk containing usernames etc has been stolen. But if an encrypted hard disk has been stolen it depends on the level of encryption employed and the ability/resources needed to access the information which would determine whether the data containing on the hard disk can even be used in a negative fashion.  
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
2/7/2014 | 7:16:00 PM
Re: A complicated issue
I have never experienced a data loss event in my career, but I can imagine the hardship that would come from it.

You are stuck in the middle of a really bad problem - oftentimes organizations probably don't even know at first the extent of the breach and how they should properly communicate what the problem is.

This is why many comapnies who are confronted with this problem appear to be fumbling around for the right responses - they initially don't know what to sat. 
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Strategist
2/7/2014 | 5:58:10 PM
Re: Competitive differentiator
Or, might it spur more companies to use encryption routinely? Some states exempt companies from disclosure if the data's encrypted.  
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/7/2014 | 12:22:20 PM
Competitive differentiator
I love the parking ticket rule. And, it seems like only a matter of time until businesses spring up that promise NOT to hold any personal data. If I had a choice between Store A that mines the crap out of my info and keeps my CC numbers and Store B that doesn't -- and can prove it via third-party inspection -- guess where I'm shopping.
RichK211
50%
50%
RichK211,
User Rank: Apprentice
2/7/2014 | 10:14:01 AM
Companies That Disclose Crises Protect Reputation
Great idea to mandate disclosure but companies from every industry should want to do that anyway to protect long term reputation and profits. Here are some of my thoughts on the Target matter about how the company handled its public disclosure of the data breach.

http://www.riskandinsurance.com/target-as-target/
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.
CVE-2020-3863
PUBLISHED: 2020-10-27
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. An application may be able to execute arbitrary code with system privileges.
CVE-2020-3864
PUBLISHED: 2020-10-27
A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.
CVE-2020-3880
PUBLISHED: 2020-10-27
An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 6.1.2, iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. Processing a maliciously crafted image may lead to arbit...