http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html The Emergent Chaos Jazz Combo Mon, 08 Mar 2010 14:28:34 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html/comment-page-1#comment-3658 Dissent Sun, 27 May 2007 13:00:46 +0000 http://emergentchaos.com/?p=2380#comment-3658 "They might be more willing when the cost of notification is very high." I'm confused. Wouldn't lawyers be more willing (to make an aggressive interpretation) when the cost of NOT notifying was high (due to penalties, AG action, etc.) or when the cost of notifying was low and wouldn't really hurt their client? Or are we talking about different lawyers? “They might be more willing when the cost of notification is very high.”
I’m confused. Wouldn’t lawyers be more willing (to make an aggressive interpretation) when the cost of NOT notifying was high (due to penalties, AG action, etc.) or when the cost of notifying was low and wouldn’t really hurt their client?
Or are we talking about different lawyers?

]]> http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html/comment-page-1#comment-3657 Chris Sun, 27 May 2007 12:21:15 +0000 http://emergentchaos.com/?p=2380#comment-3657 Good point, Dis. I am tempted to agree, and this would certainly be worth looking at. My uninformed guess is that lawyers being a conservative lot, they'd tend to not make an aggressive interpretation of 'illegal use'. They might be more willing when the cost of notification is very high. Good point, Dis. I am tempted to agree, and this would certainly be worth looking at. My uninformed guess is that lawyers being a conservative lot, they’d tend to not make an aggressive interpretation of ‘illegal use’. They might be more willing when the cost of notification is very high.

]]> http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html/comment-page-1#comment-3656 Dissent Sun, 27 May 2007 10:48:34 +0000 http://emergentchaos.com/?p=2380#comment-3656 Thanks, Chris. Looking at the difference in notification standards, maybe the higher percentage of NC cases hitting NY is also because NC requires breaches involving unencrypted data be reported only if there has been misuse or there is a "reasonable" likelihood of same. So anything that gets reported there has already led to fraud or ID theft or is more likely to do so than many of the smaller breaches reported in NYS where they have to report even if no evidence of misuse or even reasonable likelihood of misuse? Or am I reading the provisions wrong and just need more coffee? :) Thanks, Chris. Looking at the difference in notification standards, maybe the higher percentage of NC cases hitting NY is also because NC requires breaches involving unencrypted data be reported only if there has been misuse or there is a “reasonable” likelihood of same. So anything that gets reported there has already led to fraud or ID theft or is more likely to do so than many of the smaller breaches reported in NYS where they have to report even if no evidence of misuse or even reasonable likelihood of misuse?
Or am I reading the provisions wrong and just need more coffee? :)

]]> http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html/comment-page-1#comment-3655 Chris Sat, 26 May 2007 18:21:42 +0000 http://emergentchaos.com/?p=2380#comment-3655 Folks: While nuking some comment spam, I clicked in the wrong place and deleted a comment made by 'Dissent', to which the comment before this was a response. I am reposting the text of that comment below: ### Original comment Chris, could you comment on the states' respective notification laws as it might (or might not) explain the difference? Is it the case that NYS has a broader notification requirement than NC, or are they about the same? Interesting results. ### End I figure this is preferable to trying to forge a comment and risking compounding my mistake. Folks:
While nuking some comment spam, I clicked in the wrong place and deleted a comment made by ‘Dissent’, to which the comment before this was a response.
I am reposting the text of that comment below:
### Original comment
Chris, could you comment on the states’ respective notification laws as it might (or might not) explain the difference? Is it the case that NYS has a broader notification requirement than NC, or are they about the same?
Interesting results.
### End
I figure this is preferable to trying to forge a comment and risking compounding my mistake.

]]> http://emergentchaos.com/archives/2007/05/venn-and-the-art-of-empirical-breach-research.html/comment-page-1#comment-3654 chris Sat, 26 May 2007 18:11:03 +0000 http://emergentchaos.com/?p=2380#comment-3654 NC covers physical media as well as computerized. In my date range, this was maybe 8 incidents. OTOH, NC only requires the AG to be notified if more than 1K residents are hit, which could tend to suppress reporting compared to NY (which lacks such a floor and has many small breaches reported). Needless to say, I am not a lawyer :^) State laws summarized at <a href="http://www.perkinscoie.com/statebreachchart/chart.pdf" rel="nofollow">http://www.perkinscoie.com/statebreachchart/chart.pdf</a> NC covers physical media as well as computerized. In my date range, this was maybe 8 incidents. OTOH, NC only requires the AG to be notified if more than 1K residents are hit, which could tend to suppress reporting compared to NY (which lacks such a floor and has many small breaches reported).
Needless to say, I am not a lawyer :^)
State laws summarized at http://www.perkinscoie.com/statebreachchart/chart.pdf

]]>