undefined | Better HN

0 pointsspydum7y ago0 comments

You would be correct. In the US, which I might remind you, does not have a national law on the books regarding data breach notification. Even at the state levels, it’s varies pretty wildly on top of, most notifications are only required if there is evidence. So here is the challenge: what if I keep no logs, and have terrible security monitoring capability? If I am notified or discover a critical vulnerability on my own, but have inadequate logs to show or detect if it was exploited... am I required to notify? I have been told no (I fervently disagreed; I think suspected breaches, or critical vulnerabilities which may lead to breaches but were inconclusive should still require notification).

0 comments

pgrote7y ago

>In the US, which I might remind you, does not have a national law on the books regarding data breach notification.

Our federal government is beholden to corporations, so I don't see any legislation ever happening to punish nor place a regulatory significance on breaches.

If the Equifax debacle didn't move the needle, nothing will. How they didn't get a death penalty for not protecting one of the supports of our financial system I will never know.

As the parent said, I've just assumed all my data will be breached eventually. When it occurs I dutifully sign up for the monitoring offered and make sure to review things on a monthly basis.

Your comment on breach notification is spot on. WISH.COM has suffered down line breaches in their process and it is easy to prove by the use of virtual credit card numbers ... numbers that are generated and used at only one site. They have been silent when it is reported to them.

sathackr7y ago

> dutifully sign up for the monitoring offered

and then the monitoring company gets breached.

I don't give any real info besides my first name to any site that doesn't have a legitimate reason to need it. If they force me to confirm an email address, depending on the site, I may use one of my main emails, or may go generate a disposable address.

jwr7y ago

Still, I would have thought it is good practice to notify your users if you leak their data to thieves. Quora did the right thing and should be applauded.

As a counterexample, it seems that Newegg had a massive breach (thieves installed JavaScript that skimmed credit card numbers for weeks) in August, and even though my credit card was likely stolen, I hever heard about it from Newegg.

bigtunacan7y ago

Not sure why you didn't hear from Newegg, but they did send out a mass email notification with details of the breach.

mtone7y ago

I somehow got their email a week or so after the event, and after my card's fraud prevention called for suspicious activity, reverted the transactions and cancelled my card. The bank official was not aware of the leak.

jwr7y ago

They did? I never got anything from them. And I was definitely within the time window.

monetus7y ago

How did you find out they did that? Just following tech news?

jwr7y ago

Yes, see for example https://techcrunch.com/2018/09/19/newegg-credit-card-data-br...

j / k navigate · click thread line to collapse

0 pointsspydum7y ago0 comments

0 comments

pgrote7y ago

>In the US, which I might remind you, does not have a national law on the books regarding data breach notification.

Our federal government is beholden to corporations, so I don't see any legislation ever happening to punish nor place a regulatory significance on breaches.

If the Equifax debacle didn't move the needle, nothing will. How they didn't get a death penalty for not protecting one of the supports of our financial system I will never know.

As the parent said, I've just assumed all my data will be breached eventually. When it occurs I dutifully sign up for the monitoring offered and make sure to review things on a monthly basis.

sathackr7y ago

> dutifully sign up for the monitoring offered

and then the monitoring company gets breached.

jwr7y ago

Still, I would have thought it is good practice to notify your users if you leak their data to thieves. Quora did the right thing and should be applauded.

bigtunacan7y ago

Not sure why you didn't hear from Newegg, but they did send out a mass email notification with details of the breach.

mtone7y ago

jwr7y ago

They did? I never got anything from them. And I was definitely within the time window.

monetus7y ago

How did you find out they did that? Just following tech news?

jwr7y ago

Yes, see for example https://techcrunch.com/2018/09/19/newegg-credit-card-data-br...

j / k navigate · click thread line to collapse