Full Disclosure debate, 2.0
A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign.
Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers, if there is a chance the breach has put individuals’ sensitive personal data at risk.
I like this except where do you draw the line on what is considered “a chance the breach has put individuals’ sensitive personal data at risk”.
In todays world and with many companies not knowing where their data is almost anything has the chance of exposing PII. Data is so transient, even if it’s not supposed to be, that most companies don’t know that several remote users have copies of either databases or spread sheets that contain customer data. Not to mention the USB drives that the company doesn’t even know about. In cases such as this almost any machine that gets a virus or a rootkit would require full disclosure because the user may have had PII data on a USB key.
Don’t get me wrong. I think companies have to be held accountable, but there has to be a very clear understanding on what constitutes a breach of PII data.
Andy,
Why? What’s holding us back from talking about what goes wrong?
Andy, your claim is that the company doesn’t know where the PII data is, and therefore what? shouldn’t be required to be accountable??? That’s hardly a defence!
Apply that to your bank. “Money is so transient, even if it’s not supposed to be… those tricksy transactions go slip-sliding away on USB drives, …”