Shostack + Friends Blog Archive


White House Data Breach Prevention Guidelines

So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable

The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I expect to happen is that all data collection will be declared necessary.

However, far more important than the nature of the changes that were announced is why they were announced, and that is that is that these breaches weren’t just swept under the rug. What that means is that breach disclosure is good for you, the American citizen.

It’s also why we see so much resistance to talking about breaches. Because as we do, we’ll catalyze change. I think that’s a good thing, even if it’s scary. Some senior officials seem to think the same way.

Via Threat Level 27B-6.bis, “White House Issues Data Breach Prevention Guidelines” and several others