Embedded in revisions to a proposed cybersecurity law are some provisions on mandatory breach notification. Richard Lardner reports: The chairman of the Senate Commerce, Science and Transportation Committee, Sen. Jay Rockefeller, D-W.Va., is adding a provision to cybersecurity legislation that would strengthen the reporting requirement. The SEC’s cybersecurity guidance issued in October is not mandatory. It was…
Category: Commentaries and Analyses
Old law puts school data at risk
Susan Palmer reports: An obscure state regulation — one that requires districts to keep student records for decades — is one reason several thousand Eugene School District students are at risk of having their Social Security numbers hijacked following a security breach of the district’s electronic records. School districts must retain student records for 75…
Should we send in CSI to figure out the source of a data dump?
Here’s a great example of the perils in trying to report on hacks or breaches disclosed on Twitter or Pastebin. A hacker who self-identified as Reckz0r initially claimed to have hacked Visa and MasterCard and to have dumped 50GB worth of data (without credit card numbers). I had my doubts, and wasn’t surprised to read…
Is network offense the best network defense?
Stewart Baker responds to Joseph Menn’s recent report on companies fighting back against attackers. He comments on the different offensive strategies: Here’s the problem. A generation of computer crime lawyers at the Justice Department has devoted their careers to discouraging the reaction that Menn describes. That’s because the fundamental law in this area, the law…
Hacked companies fight back with controversial steps
Joseph Menn of Reuters reports that some U.S. firms are fighting back against hackers in unorthodox – if not downright illegal – ways: “Not only do we put out the fire, but we also look for the arsonist,” said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new…
Does a Data Breach in the U.S. Require Notification in Europe?
Paul Van den Buick writes: The European legal framework on the protection of personal data (Directive 95/46/Ec) is acknowledged as one of the strictest in the world. This tendency seems to be confirmed by the new draft regulation on the protection of personal data revealed by the European Commission in January 2012, which, once adopted,…