[email protected] (Scott Ford) writes: > Very true..but still I think Yahoo has a responsibility to their customers
We were tangentially involved in the cal. data breach notification act (the "original" notification act) having been brought in to help wordsmith the cal. electornic signature act. several of the participants were involved in privacy issues and had done extensive surveys. the #1 issue from the surveys, was identity theft, primarily the form involving account fraud (fraudulent financial transactions) primarily as result of data breaches. There seemed to be little or nothing being done about the problem and there was some hope that the publicity from the notifications would motivate countermeasures. The issue was security measures are usually taken for self-protection, the problem was that the institutions with the data breaches had little at risk ... it was their clients/customers that were suffering the fraud ... and so they had no motivation to take corrective action. Since then the proposed federal legislation has been about evenly divided between requirements similar to the original cal. bill and those that eliminates most requirements for notifications (sometimes disguised by requiring that breach involve multiple different kinds of personal information that doesn't occur in the real world). The same organizations were in the process of doing a Cal. "opt-in" privacy bill (institutions can only share personal information when authorized by individual). GLBA is better known for repeal of "Glass-Steagall". However the rhetoric on the floor of congress was that the primary purpose of GLBA was to allow those with bank charters to keep them, but prevent anybody else from getting bank charters (eliminate competition). However, another provision in GLBA was "opt-out" privacy sharing (institutions can share personal information unless they have record of individual objecting; federal preemption of state laws). At 2004 annual privacy conference in DC during panel with FTC commissioners, an individual asked from the floor if the FTC was going to do anything about "opt-out". They said they were involved with most of the major financial call-centers and none of the "opt-out" call lines were equipped to record any information from "opt-out" calls (so the institutions could claim they could share since there was no record of objections). The major motivation for cyberattacks and breaches has been being able to use stolen account info for fraudulent financial transactions. A problem is the business process is severely misaligned. The value of the information to the merchant is profit on the transaction (possibly couple dollars; for transaction processor possibly a few cents). The value of the information to the crook is the account balance and/or credit limit. As a result the attackers may be able to outspend by a factor of 100 times (what the defenders can afford to spend on security measures). The account information is also required in dozens of business processes at millions of locations on the planet. At the same time the threat of fraudulent transactions requires that the account information is kept confidential and never divulged. We've claimed that with the diametrically opposing requirements, even if the planet was buried under miles of information hiding encryption, it still wouldn't be able to stop information leakage. In the past, the merchants have been told that a large part of the interchange fee (value subtracted from amount received by merchants) has been tightly tied to the respective fraud rates ... resulting in studies that financial infrastructure makes a large profit from fraudulent transactions ... eliminating any motivation to change the paradigm and correctly aligned the business process to eliminate fraud. Futhermore, crooks would likely move attacks to the next lowest hanging part of the financial infrastructure (which doesn't involve merchants; no justification to charge hefty profit fee whenever there are fraudulent losses). -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
