9 posts • joined 16 Oct 2007
fresh thinking needed
A quote in the article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is on par with national security issues. Card security requires wholesale rethinking of the credit card system. The US Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
magnitude of incident misunderstood
Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
legal definition of reasonable security
Legally speaking, what is "reasonable security?" FTC fined TJX for not having it, but I disagree. Verizon says 9 of 10 data breaches could have been avoided if reasonable security were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates whether reasonable security could have prevented a break-in, it does so with the benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the shere problem of keeping up with the location of data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
definition of data security compromise
Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a "data security breach" worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
Privacy by contract
Maybe consumers can use contract law to enhance the privacy of their health records. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html
Even if it is normally illegal for a citizen to record or process data such as an IP address, there might be rare situations where the citizen is legally justified. http://hack-igations.blogspot.com/2008/01/ip-address-privacy-and-self-defense.html
Legal Contracts with Robots
As robots become more common, questions arise about how they will be regulated. One way to regulate them will be to form legally-binding contracts with their owners.
Sloppy Draftsmanship in AB 779
In AB 779, proposed Civil Code Section 1724.4(b) was poorly drafted and confusing. It was not clear whether 1724.4(b) covered Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) was muddled about what does and does not constitute "sensitive authentication data" that a merchant would have been forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Proposed Section 1724.4(b)'s poorly crafted language would have been a roadblock as innovators try to invent the next PayPal. See detailed analysis at http://hack-igations.blogspot.com
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web video' cannon to SINK Netflix
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK