BreachExchange mailing list archives

Re: Do Breach Notification Laws Work?

From: Adam Shostack <adam () homeport org>
Date: Mon, 16 Mar 2009 15:34:48 -0400

On Mon, Mar 16, 2009 at 07:22:16AM -0700, TSG wrote:
| Adam Shostack wrote:
| >On Thu, Mar 12, 2009 at 06:12:44PM -0400, Jeffrey Walton wrote:
| >| > breach notification letters as junk mail rather than acting to
| >| > protect their identity, experts say.
| >| It's unfortunate that consumer behavior is so predictable. Over
| >| exposure has lead to apathy in most cases. It's been an Achilles heel
| >| for a lot of security initiatives: browser warnings, problematic
| >| certificates, site redirection, etc. Users just click OK to keep
| >| drilling on... Many do not even take the time to read the warning
| >| message. Most who do read the warning do not understand it because
| >| security folks and programmers are the author of the warning. Mom and
| >| Grandpop have no idea of what is being said in most instances.
| >
| >It would be great if consumer behavior were predictable, and security
| >people bothered to try predicting their reactions to our efforts,
| >rather than repeating the mistakes of the past.

| The issue here is legal accountability for failing or refusing to 
| release information about incompetence in the operations of the 'system 
| where the leak occurred' in one form or another. And really has NOTHING 
| to do with the bull-sh*t response regarding 'customer predictability' - 
| this again is an issue where the law is very clear and technology and 
| business people believe that they have a better way - or that they are 
| not constrained by it. Something about what happens when we put on that 
| white coat.
| 
| Personally - its time to start sending people to jail for refusing to 
| meet the requirements of the law.

Todd,

My snide comment was directed at a behavior in some security
practitioners to do the same thing over and over without noticing that
it's not working or *predicting* that the next time they do it, it
won't work again.

Adam

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss

Current thread:

Do Breach Notification Laws Work? security curmudgeon (Mar 12)
- Re: Do Breach Notification Laws Work? Jeffrey Walton (Mar 12)
  - Re: Do Breach Notification Laws Work? bethg (Mar 12)
  - Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
    - Re: Do Breach Notification Laws Work? TSG (Mar 16)
    - Re: Do Breach Notification Laws Work? Adam Shostack (Mar 16)
    - Re: Do Breach Notification Laws Work? Chris Walsh (Mar 16)
    - Revising CA breach law (SB 20) Sasha Romanosky (Mar 16)
    - Re: Revising CA breach law (SB 20) B.K. DeLong (Mar 16)
    - Re: Revising CA breach law (SB 20) Chris Walsh (Mar 16)
    - Re: Revising CA breach law (SB 20) security curmudgeon (Mar 16)