BreachExchange mailing list archives
Data breach fines can risk more harm than good, experts say
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 23 Apr 2011 02:23:51 -0400
Regulations designed to help guard consumer financial accounts and privacy may start doing more harm than good if taken too far April 21, 2011 — CSO — Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft — as the laws were first intended. Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network. Certainly not security practices to applaud. However, experts contend — because of the lousy inherent insecure state of applications and IT systems — enterprises can have all of the right security technologies, policies, and procedures in place and still end up on the wrong end of a state action. "These database breach notification laws were not intended to set standards of care," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "They were initially intended to help consumers, who had their information breached, to avoid identity theft," he says "The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach," he adds. Mike Wiltermood, chief executive officer at Enloe Medical Center, based in Chico, California, might agree. Enloe decided to fight a fine it received last year after it reported that the center had discovered that on several different instances the medical records of one patient were inappropriately accessed. The medical center says it discovered the violations through its own monitoring, investigation, and self-reporting of the incident to California authorities. The result? The California Department of Public Health (CDPH) opted to fine Enloe anyway. The center didn't think the state's actions were justified. [..] _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Data breach fines can risk more harm than good, experts say Jake Kouns (Apr 25)