US bill would make concealing data breaches a crime US-based companies would be required to report data breaches that threaten consumer privacy and could face stiff penalties for concealing them under federal legislation that was introduced in the Senate on Tuesday. The Personal Data Privacy and Security Act aims to set national standards for protecting the growing amount of …
...if this were to pass, you would then start seeing a "waiver" program put in place "give give companies a level playing field" , supposedly for smaller companies that can not afford the same protections of larger companies , but the only companies that will be able to get the waivers will be the big companies.
three outcomes should this pass into law.
#1) Data breaches will cease to be news for the same reason that "There's a new virus in the wild" isn't news anymore.
#2) Big companies will, initially, spend more on security to avoid embarrassment. However, once #1 takes hold, that positive effect will go away.
#3) As Zippy said, the federal government will be exempt.
That is why you put everything in writing.
"These are my suggestions of what we need to do to meet compliance with this new bill."
If your boss then shoots this list down for whatever reason, he's the one that goes to prison... Coming from the Aerospace field where if a plane goes down and its your part thats responsible then you go to prison, makes you very aware that covering your ass is very, very important...
How's this for a strategy to protect my data privacy and security:
For *all* organisations (Commercial, Governmental, Telcos, and Landline ISPs):
-- -- 1. Don't track my browsing activity with persistent Cookies/Flash LSOs/DOM storage.
-- -- 2. Don't store *any* of my account info in an unencrypted format.
-- -- 3. Don't require me to opt-out (as opposed to opt-in).
-- -- 4. Don't accept data from client web browsers without sending it through a string-scrubber first.
-- -- 5. Don't use unencrypted sessions to perform *any* sensitive transactions (not just financial).
-- -- 6. Don't send GPS or other location data upstream without asking first.
For Landline ISPs:
-- -- 7. Don't perform deep-packet inspection to target advertising and/or manage traffic; respect the sanctity of my packets.**
For Governments:
-- -- 8. Don't snoop on what I do without a legitimate court order supported by concrete evidence.
There... Was that so hard?
** (General traffic management without packet sniffing, such as "pay $XX/month for YY Mbits/sec bandwidth" is OK by me. The more I pay, the more I get. How I use it is *my* business.)
Solution: mobile phone based public key security.
1. Android app to generate public/private key pair on your phone
2. Store the private key in a secure area on the SIM
3. NFC enable phones to sign transactions
4. Add NFC readers to PCs and POS terminals
5. Add a thumbprint reader to phones like the Atrix already has
6. Pay for things at the super marker, and log into gmail via the same secure method
RSA never has access to your private key, no one can forget to hash your password, replay attacks are over, public keys can be blacklisted over the web when a phone is lost. C'mon guys, it isn't that difficult!!!
Why did RSA have a central database of seed values anyway? The only purpose I can think of is to spy on their clients (possibly on behalf of the USG)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
