* Posts by Benjamin Wright

9 publicly visible posts • joined 16 Oct 2007

Organized crime tampers with European card swipe devices

Benjamin Wright

fresh thinking needed

A quote in the article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is on par with national security issues. Card security requires wholesale rethinking of the credit card system. The US Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

Second TJX hack suspect cops a plea

Benjamin Wright

magnitude of incident misunderstood

Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

Feds charge 11 in TJX ID fraud case

Benjamin Wright

TJX over-reaction

Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html

Data breaches easily prevented - report

Benjamin Wright

legal definition of reasonable security

Legally speaking, what is "reasonable security?" FTC fined TJX for not having it, but I disagree. Verizon says 9 of 10 data breaches could have been avoided if reasonable security were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates whether reasonable security could have prevented a break-in, it does so with the benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the shere problem of keeping up with the location of data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

Supermarket loses 4.2 million credit card details

Benjamin Wright

definition of data security compromise

Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a "data security breach" worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html

Google eyes Cleveland medical records

Benjamin Wright

Privacy by contract

Maybe consumers can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html

EU debates privacy of IP numbers

Benjamin Wright

Legal justification

Even if it is normally illegal for a citizen to record or process data such as an IP address, there might be rare situations where the citizen is legally justified. http://hack-igations.blogspot.com/2008/01/ip-address-privacy-and-self-defense.html

Terrifying farm mechanoid plan for Japan

Benjamin Wright

Legal Contracts with Robots

As robots become more common, questions arise about how they will be regulated. One way to regulate them will be to form legally-binding contracts with their owners.

http://hack-igations.blogspot.com/2008/01/robot-surveillance-contracts.html

Schwarzenegger terminates data breach bill

Benjamin Wright

Sloppy Draftsmanship in AB 779

In AB 779, proposed Civil Code Section 1724.4(b) was poorly drafted and confusing. It was not clear whether 1724.4(b) covered Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) was muddled about what does and does not constitute "sensitive authentication data" that a merchant would have been forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Proposed Section 1724.4(b)'s poorly crafted language would have been a roadblock as innovators try to invent the next PayPal. See detailed analysis at http://hack-igations.blogspot.com