Re: [Fed-Talk] Can't wait for the mea culpa...
Re: [Fed-Talk] Can't wait for the mea culpa...
- Subject: Re: [Fed-Talk] Can't wait for the mea culpa...
- From: Jeffrey Walton <email@hidden>
- Date: Mon, 10 Sep 2012 13:59:48 -0400
Hi Todd,
> When I read the line "We decided to come forward to apologize to our customers, partners and the public in general that this got out there", my first thought was "*decided*? Aren't they required to come forward because of various disclosure laws?"
It made my blood boil too but I bit my tongue (I was a long time
contributor of material to the Dataloss Database).
To answer your question, yes there are [varying] disclosure laws. 46
states, the District of Columbia, and Puerto Rico have them. From the
National Conference of State Legislators:
http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx.
The problem with the disclosure laws is they are not enforced, and the
laws focus on Personally Identifiable Information (PII). I've written
to the Office of Attorney General (MD) on a number of occassions about
wanton disregard of Maryland's laws by various firms in a number of
sectors from Retail to Financial Services - not one investigation or
fine. Sensitive information, such as the combination of a safe or a
UDID, is usually not covered under definitions. Since its information,
I'm not even sure there is clear ownership (unless of course, its DRM
related).
Hence the reason its difficult to show damages and be made whole.
Jeff
On Mon, Sep 10, 2012 at 1:19 PM, Todd Heberlein <email@hidden> wrote:
>
> On Sep 10, 2012, at 9:46 AM, "Villano, Paul Mr CIV USA TRADOC" <email@hidden> wrote:
>
>> I guess the good news for those whose numbers were stolen is you probably couldn't have sued (or won) against the FBI, but BlueToad is probably going to have its frog legs fried.
>
> When I read the line "We decided to come forward to apologize to our customers, partners and the public in general that this got out there", my first thought was "*decided*? Aren't they required to come forward because of various disclosure laws?"
>
> But I don't think this information rises to disclosure laws. I don't think there was specific "personally identifiable information". I just don't feel the UDID and the name you give your device rises to that level.
>
> The cost of defending themselves may destroy the company, but I don't think they did anything egregious.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden