Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, July 04, 2005

The coming Web security woes

Anyone who runs a Web site with registered users and receives income from it should be concerned.  The Specter-Leahy bill says that if that site’s list of user IDs or e-mail addresses is compromised, each registered user must be notified via U.S. mail or telephone.  Refusal to do so can be punished with $55,000-a-day fines and prison time of up to five years.

That’s remarkable but not as extreme as the second requirement: The Web master or mailing list operator might have to “cover the cost” of 12 monthly credit reports of each person whose e-mail addresses was lost or purloined.

For a popular site with 10,000 registered users, that would be a princely sum.

Independent Web site owners should not be bankrupted by making them cough up that kind of cash: The penalty is unrelated to any harm.

Other sections of the proposed law, called the Personal Data Privacy and Security Act, are highly rigid.  For example, anyone running an ad-supported Web site or mailing list with 10,000 or more registered users must “implement a comprehensive personal data privacy and security program,” create a “risk assessment” to “identify reasonably foreseeable” vulnerabilities, “assess the likelihood” of security breaches, “assess the sufficiency” of policies to protect against them, publish the “terms of such program,” do “regular testing of key controls” to test security, select only superior “service providers” after doing “due diligence,” and regularly “monitor, evaluate and adjust” security policies.

Specter and Leahy probably intended to target large businesses that employ teams of corporate lawyers and would view this as just more government paperwork.  “We don’t want to place any undue limitations on mailing lists, Web sites, and so on,” Schmaler said.

Posted on 07/04