Forgot your password?
typodupeerror

Comment: Re:PCI Compliance? (Score 3, Interesting) 402

by dannyrap (#29349919) Attached to: What the DHS Knows About You

Not exactly. Any business that processes credit cards has to be PCI compliant. That means truncating the credit card number or encrypting it. So any company that give the DHS access to unencrypted credit card numbers no longer PCI compliant and is liable for damages in the event of a breach (which this may be).

Comment: The GLBA is a GOOD thing (Score 1) 184

by dannyrap (#14786212) Attached to: Liability for Data Breaches are Minimal
I'm working for a company that falls under the Gramm Leach Bliley Act, and think that it's a good standard. Let's face it, without some laws in place, most companies don't care squat about security. The law probably doesn't go far enough, but companies that don't do anything can now get screwed in lawsuits like these. That's a good thing.

The result of the law going into effect is pressure from up-on-high in the company to be in compliance with the law and gives justification to spend money on people and equipment/software/etc. Another company I worked at wouldn't even spend money for firewall software, because management dismissed IT's cost/benefit justification. If it didn't directly contribute to sales figures, it didn't happen. I'm glad I'm not there anymore.

Now, IT security is talked about at all levels, from IT all the way up through management. The question is asked and discussed "Is the sensitive information adaquately protected?". Having the GLBA as the hidden hammer, gives the question a lot of weight. And it's made a difference, with a lot more thought being put into it. Any planning does have project time and resources set aside specifically for security. There's actually time to audit and review existing equipment, and authorization to change any blatant findings.

Is it perfect? Well, no. More time and money could certainly be used. But the effort put into it certainly exceeds the bar that the GLBA provides. I do admire the company for that.

Danny

Real Programmers don't write in FORTRAN. FORTRAN is for pipe stress freaks and crystallography weenies. FORTRAN is for wimp engineers who wear white socks.

Working...