BreachExchange mailing list archives
Re: Do Breach Notification Laws Work?
From: Adam Shostack <adam () homeport org>
Date: Mon, 16 Mar 2009 15:34:48 -0400
On Mon, Mar 16, 2009 at 07:22:16AM -0700, TSG wrote: | Adam Shostack wrote: | >On Thu, Mar 12, 2009 at 06:12:44PM -0400, Jeffrey Walton wrote: | >| > breach notification letters as junk mail rather than acting to | >| > protect their identity, experts say. | >| It's unfortunate that consumer behavior is so predictable. Over | >| exposure has lead to apathy in most cases. It's been an Achilles heel | >| for a lot of security initiatives: browser warnings, problematic | >| certificates, site redirection, etc. Users just click OK to keep | >| drilling on... Many do not even take the time to read the warning | >| message. Most who do read the warning do not understand it because | >| security folks and programmers are the author of the warning. Mom and | >| Grandpop have no idea of what is being said in most instances. | > | >It would be great if consumer behavior were predictable, and security | >people bothered to try predicting their reactions to our efforts, | >rather than repeating the mistakes of the past. | The issue here is legal accountability for failing or refusing to | release information about incompetence in the operations of the 'system | where the leak occurred' in one form or another. And really has NOTHING | to do with the bull-sh*t response regarding 'customer predictability' - | this again is an issue where the law is very clear and technology and | business people believe that they have a better way - or that they are | not constrained by it. Something about what happens when we put on that | white coat. | | Personally - its time to start sending people to jail for refusing to | meet the requirements of the law. Todd, My snide comment was directed at a behavior in some security practitioners to do the same thing over and over without noticing that it's not working or *predicting* that the next time they do it, it won't work again. Adam _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Do Breach Notification Laws Work? security curmudgeon (Mar 12)
- Re: Do Breach Notification Laws Work? Jeffrey Walton (Mar 12)
- Re: Do Breach Notification Laws Work? bethg (Mar 12)
- Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
- Re: Do Breach Notification Laws Work? TSG (Mar 16)
- Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
- Re: Do Breach Notification Laws Work? Chris Walsh (Mar 16)
- Revising CA breach law (SB 20) Sasha Romanosky (Mar 16)
- Re: Revising CA breach law (SB 20) B.K. DeLong (Mar 16)
- Re: Revising CA breach law (SB 20) Chris Walsh (Mar 16)
- Re: Revising CA breach law (SB 20) security curmudgeon (Mar 16)
- Re: Do Breach Notification Laws Work? Jeffrey Walton (Mar 12)