[ic] User options

Mike Heins mike at perusion.com
Thu Apr 6 12:25:45 EDT 2006


Quoting Kevin Walsh (kevin at cursor.biz):
> Peter <peter at pajamian.dhs.org> wrote:
> > under state laws in California and 
> > many other states and under a proposed Fedral law, if your customers' 
> > private data is compromised in an attack on your servers you are 
> > required by law to notify everyone who might have had thier data 
> > compromised. If the attacker only got encrypted data but cannot decrypt  
> > it then there's nothing that was compromised.
> >
> Not true.  If the customer's name, address and telephone number etc. is
> not considered private then their list of previous orders certainly is.
> 
> If your server got cracked then you'd have a lot of explaining to do to
> a lot of people.

IANAL, but the way we interpret the laws is that if you don't collect

    * Birthdate
    * Social Security Number
    * Passport number
    * Mother's maiden name or other such identity data
    * Drivers License number
    * Credit card data
    * Biometric data including height/weight
    * Medical history

then the requirements are a lot less onerous.

We have implemented some sites which store this type of data
but which encrypt it.

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

One conclusion should be obvious: If nations such as Indonesia,
Bangladesh and Thailand can not make themselves inoffensive to Militant
Islamism there is no way that the United States could perform such a
feat, no matter which policies we changed or how much our public
diplomacy improved. -- Clifford May


More information about the interchange-users mailing list