Quoting Kevin Walsh (suppressed):
> Peter <suppressed> wrote:
> > under state laws in California and
> > many other states and under a proposed Fedral law, if your customers'
> > private data is compromised in an attack on your servers you are
> > required by law to notify everyone who might have had thier data
> > compromised. If the attacker only got encrypted data but cannot decrypt
> > it then there's nothing that was compromised.
> >
> Not true. If the customer's name, address and telephone number etc. is
> not considered private then their list of previous orders certainly is.
>
> If your server got cracked then you'd have a lot of explaining to do to
> a lot of people.
IANAL, but the way we interpret the laws is that if you don't collect
* Birthdate
* Social Security Number
* Passport number
* Mother's maiden name or other such identity data
* Drivers License number
* Credit card data
* Biometric data including height/weight
* Medical history
then the requirements are a lot less onerous.
We have implemented some sites which store this type of data
but which encrypt it.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <suppressed>
One conclusion should be obvious: If nations such as Indonesia,
Bangladesh and Thailand can not make themselves inoffensive to Militant
Islamism there is no way that the United States could perform such a
feat, no matter which policies we changed or how much our public
diplomacy improved. -- Clifford May
_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.