Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| Breach-notification laws not working?
from
»www.securityfocus.com/news/11524
"...
"You can put the accountability in two places," Romanosky said. "First the firms: they can improve and they need to improve. The other end is the consumers: Once notified, they need to do something."
.."
I find the 2nd part of the comment slightly disingenuous, because who would ignore a notification
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
Blue2
Premium
join:2004-04-14
France
| Agreed. People may not be careful enough in protecting their confidential information. ("It will happen to the other guy, not to me."). But I'd like to see some evidence that once it happens, they do nothing. I'll bet it's just that the notification they receive is confusing and doesn't make it clear what to do.
Here's a case in point. Several years ago, I received a disclosure notice from a technology supplier to my former employer indicating that one of their laptops went missing. The letter was undated, had no contact info other than a PO Box, no clear information on how to contact the credit bureaus, etc. In sum, it seemed no more than a "Sh-t happens" cover-your-ass memo, to try to limit their liability if sued. I was incensed, looked up who was the CTO and Legal Counsel of this firm and shot back the following letter:
Dear Corporate Compliance Administrator,
Dear Chief Legal Officer,
Please help me to understand. You have informed me that a security breach occured at that may have potentially exposed my personal data to risk. However, despite my numerous written requests over the past several weeks, you have not indicated what were the circumstances regarding this potential theft of data, what data might have been compromised, and what steps you are actively taking to avert further losses.
Let me remind you that your letter to me was undated and provided no address or contact details easily accessible from overseas. As it is not even clear to me that this is data that you should have even been in possesion of in the first place, I hope that you will take my request seriously and not require that I have this issue investigated. Your ignoring of my repeated emails trivializes the seriousness of the situation and is preventing me from taking appropriate steps to limit to potential damage.
I thank you and await your kind reply.
Sincerely,
That finally provoked the merited reply. I imagine that Romanosky would consider that "doing something", but it sure suggests to me that the accountability is where it squarely belongs, on the shoulders of the firms who seem to be more interested in protecting themselves from liability than in protecting the consumer. |
