We have been reading articles and watching interviews concerning a national breach notification standard and several people in our office and clients have stated some things that really have us thinking about this proposal.
Part of the proposal states that Americans have a right to know what information is being collected about them and how it is being used. This is interesting with the recent things that have come to light out of the Snowden debacle. In fact if that's the case I would think that the Government should play by the same rules that they are dishing out on the Corporate world.
Of course we all know they will exempt themselves from having to meet the same guidelines.
One other interesting aspect is that it will give businesses 30 days to disclose if information has been lost or stolen. Well that's fine but what about the businesses that never acknowledge having had a breach and the security researchers that have the information and are afraid to release it for fear of reprisal?
We get submissions every single day and while we cannot validate each and every one some businesses do the right thing and deal with the notifications and take care of their customers, but many don't. Many of the organizations including colleges and universities simply ignore it because they know we can't release their information. It's a catch 22 that the Government and laws are not keeping up with. They should have a program (within the Government) where these submissions can be presented without threat of legal action from the affected party. This would eliminate the general liabilities of security researchers that are privy to more information than even the Government.
Thought our comments are greatly appreciated on this topic!
No comments:
Post a Comment