Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Data Breach Notifications: Time For Tough Love
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 4:56:04 PM
Re: A complicated issue
One of the legitimate challenges companies face in reporting data breaches is the patchwork of laws they face in 46 states, plus the District of Columbia, and US territories.  Even doing the right thing can take a long time to figure out.

There's good reason to worry if the federal government steps in with another layer of regulation, but there's merit in standardizing responses to data breaches for companies and their customers. So there may be some good news in the bill introduced this week by Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework. As they noted, consumers across the country aren't uniformly protected the hodge podge of rules and guidelines cmpanies must follow just aren't that helpful or effective in today's national economy.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:38:26 PM
Re: Competitive differentiator
I thinkPCI-DSS SHOULD  be seen as a third-party certifier and protection for card holder. But based on recent events, we definitely need something more..
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/13/2014 | 12:18:21 AM
Re: Competitive differentiator
Marilyn, I am fully with you - keeping the confidential information in secure and secret place is the basic business requirement. The enterprise should keep this in mind and bear the cost. The third-party certification like the ones issued by CA would be a good choice but the implementation of it should be re-enforced. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:50:44 AM
Re: Competitive differentiator
In today's connected world, retailers must view the job of maintaining the security of their custmers personal identiy information as a cost of doing business. It seems to me that a third-party certification of some sort against some standard -- encryption or other -- would be the best way to do that.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 4:22:13 AM
Re: Competitive differentiator
A low encryption level is better than no encryption. Medium encryption is better than low encryption and so forth. And I take that the higher up we go, the higher will be the cost to deploy encryption. If a state exempts companies from disclosures if they had the data encrypted, it makes sense because it illustrates that the company was thinking about security, but how will a state decide which level of encryption is acceptable.

If a company genuinely cares for security it will not employ the bare minimum that is required by law, but will employ whatever is best based on the level of revenue its service generates, if the bare minimum by law is set too high and SME enterprise cannot earn a profit while enabling encryption then the business will close shop.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 3:46:24 AM
Re: A complicated issue
It is in the business's interest to protect its customers, their data and privacy. Without a sense of security e-commerce would be nonexistent, if the level of security that a firm provides to their customers is high then a breach is going to take extra time to investigate. If a non-encrypted hard disk was stolen then it is easy to report: a hard disk containing usernames etc has been stolen. But if an encrypted hard disk has been stolen it depends on the level of encryption employed and the ability/resources needed to access the information which would determine whether the data containing on the hard disk can even be used in a negative fashion.  
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
2/7/2014 | 7:16:00 PM
Re: A complicated issue
I have never experienced a data loss event in my career, but I can imagine the hardship that would come from it.

You are stuck in the middle of a really bad problem - oftentimes organizations probably don't even know at first the extent of the breach and how they should properly communicate what the problem is.

This is why many comapnies who are confronted with this problem appear to be fumbling around for the right responses - they initially don't know what to sat. 
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Strategist
2/7/2014 | 5:58:10 PM
Re: Competitive differentiator
Or, might it spur more companies to use encryption routinely? Some states exempt companies from disclosure if the data's encrypted.  
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/7/2014 | 12:22:20 PM
Competitive differentiator
I love the parking ticket rule. And, it seems like only a matter of time until businesses spring up that promise NOT to hold any personal data. If I had a choice between Store A that mines the crap out of my info and keeps my CC numbers and Store B that doesn't -- and can prove it via third-party inspection -- guess where I'm shopping.
RichK211
50%
50%
RichK211,
User Rank: Apprentice
2/7/2014 | 10:14:01 AM
Companies That Disclose Crises Protect Reputation
Great idea to mandate disclosure but companies from every industry should want to do that anyway to protect long term reputation and profits. Here are some of my thoughts on the Target matter about how the company handled its public disclosure of the data breach.

http://www.riskandinsurance.com/target-as-target/
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.