A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben
Imagine all the time businesses would spend if they read (and took the effort to digest) all the legal terms and conditions written on routine documents, like invoices, purchase orders, and bills of lading, from trading partners.
Under a legal phenomenon called the "battle of the forms," businesses learned that the best approach was not to read all the terms communicated to them. Instead, they learned to transmit their own terms to their trading partners, using their own documents. By so doing, they sorta blunted or neutralized or adjusted the blizzard of terms coming from trading partners. (The process was never perfect, but if done intelligently it had an effect.)
I argue the same phenomenon can occur in the privacy space. I argue people can publish their own terms of privacy. (It's a complex topic, and I'm not giving anyone legal advice here. Topic for more discussion.) --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html
Why can't end user license agreements be turned to advantage? To deter employers (and bill collectors) from viewing social networking pages, employees (or debtors) might post terms of service under which employers (or collectors) agree to scram. This idea should not be taken as legal advice, just something to think about. --Ben http://hack-igations.blogspot.com/2007/11/privacy-advocates-such-as-nyu-professor.html
Any record destruction policy must include a "litigation hold". A litigation hold means that record destruction must stop when litigation is anticipated or pending. But in a complex enterprise, it is tricky to know what litigation the enterprise anticipates. It was the trickiness of litigation hold that led to the demise of Arthur Andersen. The risks associated with litigation hold give enterprises incentive to store lots more records. --Ben http://hack-igations.blogspot.com/2008/07/document-discovery-litigation-hold.html
Most all data in commercial and government systems are "exposed" or "compromised" to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
EULAs are governed by contract law. Contract law is a two-way street. Just as web administrators and software vendors can communicate to visitors/customers what they assert to be the legal terms, customers can communicate back. In principle, contract law does not favor either administrators or customers. Individuals may be able to use contract law to assert their legal terms on other parties, such as search engines. --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html My ideas are not legal advice for any particular situation; they are just ideas for public discussion.
Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
From a public policy perspective: This post reminds us that cryptography is a dynamic and sometimes surprising science. The implication is that to achieve data security with cryptography is not just a simple task. But politicians have recently been writing laws and regulations with the assumption that to "encrypt" data is the end-all be-all of data security. It is not. Lawmakers are unwise to require a specific technology like "encryption" for data security. --Ben Wright http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
Data breaches are more nuanced than the sensational numbers in a story like this would suggest. Data breach announcements and notices have a scalability problem. As the number of announcements and notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach claims, announcements and notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
From the point of view of the employer: If you want to boost your claim that you own stuff like social net contacts, then post lots of notices telling employees that you own it and that they agree. http://hack-igations.blogspot.com/2008/06/employee-imtexte-mailvoicecomputerinter.html --Ben [But if you need legal advice on this, you need to talk to your lawyer.]
By their nature, merchants are not well-equipped to secure modern payment card transactions and data. As merchants like TJX have (predictably) failed to succeed at tasks they are not qualified to perform, the law has unfairly been punishing them. The punishment and the unfair foisting of burdens on merchants should stop.
As an effort to take heat and responsibility off of beleagured merchants, programs like Verified by Visa are wise and necessary. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Slashdot Mirror
A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben
East Carolina University recognized that part of e-mail management is to set a policy for the retention of e-mail by important employees. -- Ben
Imagine all the time businesses would spend if they read (and took the effort to digest) all the legal terms and conditions written on routine documents, like invoices, purchase orders, and bills of lading, from trading partners. Under a legal phenomenon called the "battle of the forms," businesses learned that the best approach was not to read all the terms communicated to them. Instead, they learned to transmit their own terms to their trading partners, using their own documents. By so doing, they sorta blunted or neutralized or adjusted the blizzard of terms coming from trading partners. (The process was never perfect, but if done intelligently it had an effect.) I argue the same phenomenon can occur in the privacy space. I argue people can publish their own terms of privacy. (It's a complex topic, and I'm not giving anyone legal advice here. Topic for more discussion.) --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html
"Hostile workplace" lawsuits show that businesses have good reason to use technical filters and blocks to prevent the transmission of ill-advised e-mail. This link describes a case against the Chicago Police Department: http://legal-beagle.typepad.com/wrights_legal_beagle/2008/10/filter-and-block-pornography-from-workplace-e-mail.html --Ben
Why can't end user license agreements be turned to advantage? To deter employers (and bill collectors) from viewing social networking pages, employees (or debtors) might post terms of service under which employers (or collectors) agree to scram. This idea should not be taken as legal advice, just something to think about. --Ben http://hack-igations.blogspot.com/2007/11/privacy-advocates-such-as-nyu-professor.html
A lesson from the history of technology law: A legislature is unwise to require a specific technology like "encryption." --Benjamin Wright http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
To deter colleges from viewing social networking pages, maybe students could post legal terms of service under which colleges agree to go away and ignore the pages. This idea should not be taken as legal advice for anyont, just something to think about. --Ben http://hack-igations.blogspot.com/2007/11/privacy-advocates-such-as-nyu-professor.html
Any record destruction policy must include a "litigation hold". A litigation hold means that record destruction must stop when litigation is anticipated or pending. But in a complex enterprise, it is tricky to know what litigation the enterprise anticipates. It was the trickiness of litigation hold that led to the demise of Arthur Andersen. The risks associated with litigation hold give enterprises incentive to store lots more records. --Ben http://hack-igations.blogspot.com/2008/07/document-discovery-litigation-hold.html
As information technology begets ever-growing oceans of records, all legal investigations and prosecutions grow ever more lengthy, revealing, expensive and difficult to close. --Ben http://hack-igations.blogspot.com/2007/09/endless-investigations.html
Most all data in commercial and government systems are "exposed" or "compromised" to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
To deter employers from viewing social networking pages, employees might post terms of service under which employers agree to scram. This idea should not be taken as legal advice, just something to think about. --Ben http://hack-igations.blogspot.com/2007/11/privacy-advocates-such-as-nyu-professor.html
A privacy policy is a type of contract. Contract law is a two-way street. Each party can assert terms. If Google can assert its legal privacy terms just by publishing them (on something less than its homepage), then maybe Internet users can assert their own terms of privacy protection just by publishing them! --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html This idea is not legal advice, just something to discuss.
EULAs are governed by contract law. Contract law is a two-way street. Just as web administrators and software vendors can communicate to visitors/customers what they assert to be the legal terms, customers can communicate back. In principle, contract law does not favor either administrators or customers. Individuals may be able to use contract law to assert their legal terms on other parties, such as search engines. --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html My ideas are not legal advice for any particular situation; they are just ideas for public discussion.
Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
From a public policy perspective: This post reminds us that cryptography is a dynamic and sometimes surprising science. The implication is that to achieve data security with cryptography is not just a simple task. But politicians have recently been writing laws and regulations with the assumption that to "encrypt" data is the end-all be-all of data security. It is not. Lawmakers are unwise to require a specific technology like "encryption" for data security. --Ben Wright http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
Data breaches are more nuanced than the sensational numbers in a story like this would suggest. Data breach announcements and notices have a scalability problem. As the number of announcements and notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach claims, announcements and notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
If Google can assert its legal terms just by publishing them (on something less than its homepage), then users can assert their own terms of privacy protection just by publishing them! What do you think? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html [This is not legal advice for anyone, just a topic for public discussion.]
From the point of view of the employer: If you want to boost your claim that you own stuff like social net contacts, then post lots of notices telling employees that you own it and that they agree. http://hack-igations.blogspot.com/2008/06/employee-imtexte-mailvoicecomputerinter.html --Ben [But if you need legal advice on this, you need to talk to your lawyer.]
By their nature, merchants are not well-equipped to secure modern payment card transactions and data. As merchants like TJX have (predictably) failed to succeed at tasks they are not qualified to perform, the law has unfairly been punishing them. The punishment and the unfair foisting of burdens on merchants should stop. As an effort to take heat and responsibility off of beleagured merchants, programs like Verified by Visa are wise and necessary. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
Subterfuge is a tactic of modern data security and privacy. --Ben http://hack-igations.blogspot.com/2007/08/subterfuge-as-security-tactic.html
As the size of e-mail archives swells, corporations can take steps to manage and reduce the volume of what they retain. --Ben http://hack-igations.blogspot.com/2008/04/reducing-volume-of-e-mail-archives.html
I don't know about preventing prosecutors from using photos. However . . . to deter employers from viewing and abusing social networking pages, employees might post legal terms of service under which employers agree to scram. This idea should not be taken as legal advice for anyone, just fodder for public discussion. --Ben http://hack-igations.blogspot.com/2007/11/privacy-advocates-such-as-nyu-professor.html
CmdrToco says, "Assuming the spider adheres to robots.txt, this is clever and well done." Query whether robots.txt can legally or morally be used, like a web End User License Agreement (EULA), to restrict the policitical conversation the McCain campaign is pursuing here. It is one thing to use a EULA to govern issues like privacy and legal liability. It would be another to employ it to limit free political speech. What do you think? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html
If Google can assert its legal terms just by publishing them (on something less than its homepage), then users can assert their own terms of privacy protection just by publishing them! What do you think? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html