It makes running Windows a scary proposition if your a** is on the line when daily critical exploits can cost you your job... woa

Way to turn a completely unrelated thread into an MS troll.

You so clever....

I would add another comment and that is that companies after the teck bust have increasingly outsourced this type of job which makes it very difficult to even know who is responsible especially when these companies are overseas.
Also, one of the biggest outsourcers is the DOD which has progressively downsized thier IT department and outsourced these jobs. I have a frien who is in IT and works for the DOD and his job, even though he had 20 years experience, was outsourced so the challenge is much more complicated than the simpletons in congress try to make it.

"Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder"

Kind of like a senator?
(replace "most sensitive personal information" with "senators")

Haha, you're so right and not a thing can be done to stop it short of a full scale revolution

Then I guess congress should be held responsible for the SSAN that were release accidentally, mind you by government employees.

Gotta love the crap that comes out of the Senate once the dems take over. Yes.. .Leahy is a big wig democrat. I guess since Al Gore(democrat) said he invented the internet - They have the right to pass really gay internet law.

Just FYI--you didn't have to put (democrat) in parenthesis after Al Gore, we have all figured that out by now I think ;)

HAHAHAHAHAHAHAHA

The REPUBLICANS brainwashed you nice!
Keep believing republican BS and see where you end up. Just see... Probably in Iraq or Iran hahahah

lol.

As an IT Manager, I quit if this becomes law. Look, I try my best, but I can't be everywhere at once, and I'm not paid to be everywhere at once.

if this law passes, probably there gotta be new insurances for IT managers, just in case.

At least for the big companies, that is

Okay--I'm generally conservative on these sorts of things. However, in cases like this, doesn't SOMEONE have to be responsible? If not the IT manager, who?

I'm not even saying this is the best solution, but who or what entity should be held responsible for security breaches? Is it Bush's fault? Pelosi? Should we sue the company CEO? HR manager? Who?

Hold the company responsible, which would then hold the job of the IT manger responsible through regular audit. The audit process should show the failure quite quickly, and then the responsible party.

The company should be held liable via significant fines. An IT manager shouldn't be fiscally responsible for the entire company, just as a financial controller shouldn't be responsible for paying back embezzlement.

"The company should be held liable via significant fines. An IT manager shouldn't be fiscally responsible for the entire company, just as a financial controller shouldn't be responsible for paying back embezzlement."

Okay, on that issue I see what you're saying. The responsible party should have to pay is the bottom line--so do you agree that if it is proven through audits/etc. that the IT guy should have noticed a security breach but they didn't--and this led to the leak of data--you do still think that the PRIMARY party responsible for network security is, of course, the IT manager right?

What I understood from this is only that it makes the IT department responsible for not making a secure network, which to me is fine. I can see where this could be a problem if the law means the IT manager MUST be responsible regardless of whether the breach was preventable or not...

IT people, in general, do need to start taking data privacy much more seriously, though, and if there is some other way to do it, I'm all ears.

The first thing I would do is remove the "security" in "Social Security Number." There is no reason why a Social Security number should/can be used in a way that compromises a person's safety. Rewrite the laws that make knowledge of this number meaningless, and get a real security number/hash associated with people, and recoverable/transferable if need be.

How much do you make? Can I have your job? I'm definitly qualified...

I tend to agree. Given that just about any online security can be hacked by someone keen enough, the risks to IT Managers becomes inordinately high. To continue or take a position like this you'd want company insurance or some massive renumeration for the risks involved: just like the 'risks' and payouts associated with CEOs.

Are you awake?

One thing lacking in all of everyone's post is actual thought.

Just a moment's thought would reveal the only simple and logical idea:

---Hold the ATTACKER responsible---

And no one else.

A no brainer. Otherwise, it is like suing every police officer in town if your home/car/office is broken into, and you will not hear of anyone "arresting a perpetrator"!
You do not need any one to be arrested (because maybe its too much work to find, prosecute, extradite them, etc. and SOMEONE has to pay!)......so you want someone ELSE to blame.

Like holding teachers responsible for getting shot at or stabbed when kids get violent/deadly in class and do not want to learn.

Like holding parents responsible when their forty year old gets in trouble.

Like holding doctorsresponsible because you get a disease for doing something unprotected.

This liberal country completely lacks actual ideas like personal responsibility like it had fifty years ago. Going to the dogs (libs).

"Gub'ment is the opiate of the people."

You want it? You'll get it. And more, until you puke. It killed Rome, it is killing us.

Founding fathers make excellent eggbeaters right now.

This was once a country of responsibilities, not just rights. They must go hand in hand, like the framers said.

Now it is just rights and laws, laws, laws, laws, suits, suits, suits, -and "others" responsibility.

Next we will need (then require by law) IT Manager insurance, Firewall insurance, Router insurance, Packet insurance, Hacker insurance, LAN Lawyer insurance, a Network Legal Department, network cable insurance, network card insurance, Proxy server insurance, RJ45 insurance, Server Insurance, Database insurance.

Caveat emptor (Let the IT Manager beware) is gone, "who do we blame/sue?" and "Bring me the no-perpetrator's head!" is in.

Zukester

thats it. going to go underground and get a new Identity.

It sounds like this law is an excuse to put more money in big business's pockets.

This is insane.

1.) As it stands, at first glance, this looks to benefit no-one but the hackers. Any IT manager is now an easy target for any ex-employee.

2.) There doesn't seem to be any wording regarding reasonable effort. Even if the IT Manager took "heroic measures" to secure the information, there's no leniency.

3.) Every database is hackable. It doesn't matter where it is, what kind of network it's on, or the security measures in place. There will *always* be a way around it,

While trying to enforce better security is a good thing, punishing or laying blame regardless of measures taken (and the fact that true security is a pipe-dream) is ridiculous.

Placing the target for these hackers right on the IT managaers makes them sitting ducks for anyone who has a bone to pick with them.

Have you found an actual copy of the Bills contents? I haven't been able to locate one.

http://leahy.senate.gov/...2007%20GRA07024_xml.pdf

It is, as with most legislation, insanely long.

I haven't read it yet. Skimmed the first few pages. It seems like they are merely trying to restate the obvious;

concealing the breach is a crime[/i]

[i]giving the data to someone who doesn't require it is a crime

etc...

Haven't seen anything specificaly laying the blame on IT Managers yet, but as I said...only a few pages in.

EDIT: Seems to put most of the work in the hands of the "Data Broker". It's these folks jobs to secure data.

The title of this article is *grossly* misleading.

"The title of this article is *grossly* misleading."

Aye...but whats scarier is how many people are eating it up. *shudder*

I'm no lawyer so allot of what I'm reading is making me glassy eyed but the sense I get isn't so much that there are "reasonable measures" but rather specific tasks that corporations must undertake in order to "pass the test" so to speak. Which isn't too bad as long as the people designing these tasks know what the hell they are doing. At any rate it's better then what we have now which is nada.

Why invent yet another legal conduit for blaming IT when we already have SOX? Sure, SOX itself doesn't make it very clear, but the oversight board which it creates and empowers is made up of accountants and lawyers. Not very many current or "ex" IT folk in congress, too bad. Seems like they are always lawyers and accountants. Go figure. We're neck deep in SOX at my company and pretty much everything is slanted to put the onus on IT to protect everything and garantee nothing is breached or compromised, even data. So if an angry accountant is about to be fired and they erase a bunch of data, or change it, they can ultimately blame IT for not having prevented that user from doing that. I love it. I think I'll switch to accounting now.

backups and versioning are all wonderful things. :p

That varies by which system/platform/product the wonderful, all-knowing accountants chose to use (and insist on keeping)

I'll go with what you said inregards to there not being any exIT folks in congress... Perhaps it's time for us to start our own political party... I propose our first bill be something to the effect of preventing hot air filled lawyers from passing unreasonable laws without knowing what there actually talking about.

First of all, let's all agree that hackers, over the years, have change their tactics to trying to break into institutions that have a lot of financial info. This change represents money to the hackers and no one can deny that a hell of a lot of information has been gotten this way.
Second, let's all agree that, in general, these institutions are reluctant to make public the breach for fear of public backlash.
Third, the institution, unless they can prove that they clearly and with financial backing tried to make their system as secure as possible must be held accountable. Only then do I think the IT manager should be held accountable. If the company can not prove the above than the company should be help accountable.
Fourth, if the company has done the above and the IT manager has done their job than the only thing that has to be looked at is how quickly the company fixed the problem and how quickly did they alert the public.
Finally, let's all agree that hackers could care less about which operating system these companies use. Their only interest is a financial windfall and as the saying goes, "there no suck thing as an unsinkable ship", there is no such thing an unbreachable OS.

Funny you should mention about how quickly some companies alert the public.... I was flying home from NY two days ago and sat next to a guy that is a "Damage assessment consultant". All I could get out of him was that he deals with stolen personal information and that he's on the worst case that he's heard of in a long time... it's been 4 months now and it just keeps getting worse. And no he wouldn't name the company... Good to know that my personal information is being kept safe. I can sleep well tonight.

Much ado about nothing, this is more grandstanding by pols.

1) IT Manager pleads for shred bins, CFO (ultimately, this means the board of directors) refuses funding. String the IT manager up? No. Any IT manager that's not an intern keeps the CYA file of denied requests like that for just such an occasion. Some "IT Managers" are for shops that have an AS/400 and two file servers for construction companies, and there are no staff.

2) Writing policies does nothing. There must be an established initiative from the Board, or C-level exec. For public companies, this isn't much of a problem on the surface.

3) How do you define "IT Manager?" How many of you were the sole IT person while in college for some small joint? Yeah, there was PII (personally identifiable information) in there somewhere. If you are say, a 40 employee advertising agency, and contract with a local computer shop to do Novell maintenance, etc., is it the contractor's fault that because didn't request a $50,000 privacy and security audit, stuff got lost?

4) What happens when this is a government agency? Who gets sent up the river? The PMO? The CISO? The CPO? No one? (See: VA breaches, HHS, etc). Why, for instance, is the password to your Sallie Mae monthly PDF still your SSN?)

5) If you hold, store, or process information, especially PII for other companies (ie, you are a third party provider), you already do this, since the company that hires you will include "due diligence" as part of their vendor management program. While Steve's Credit servicing with 4 employees may not write this into the contract, every single stinking bank that is regulated (ie, all of them, via the OCC, FDIC, etc) will force these provisions on you, or they will be unable to renew a contract.

6)As far as notice, each state has different thresholds for providing notice to people. Think long and hard before you request the federal gov't "level the playing field" on notice, since when the feds preempt state legislatures, the playing field meets the lowest common denominator. Right now, since almost every entity has a customer in California, for instance, the companies are required to write and implement policies to the *highest* common denominator.

6b)Notice does not, and should not be required to be given while there is still an ongoing investigation. This is why the VA (supposedly) waited for months before sending me my letter. You lose a tape, you try to figure out the scope of the loss. That's OK, otherwise we'd all be getting two letters a month "just to be sure."

7)Consumers have the choice to move their business. How many of you have read Verizon's privacy notice? That of your bank? Do you even know when their policy says they're allowed to share your information? Change banks, find one that can give you the answers. Call your bank CPO, and ask them their plans surrounding two factor authentication (FFIEC guidance from Oct 2005). I've done this.

8) Technical controls and policies cannot ever be perfect. No system is ever 100% protected from failure or incident. How many developers don't check out code from source safe like they're supposed to? Fess up. You, lonely old you, are violating a technical control over data integrity. Grabbed an unlabeled tape to replace the dead one in the tape library to get the backup done on time? Hmmm, may have PII on it that won't be overwritten.

9)Returning the the government question, let's think about state and local governments. Court records are public, and the crowd has pushed that services be made available online. Whoops, your divorce decree is available online, with addresses, pay rates, and probably SSNs all around! What about the courthouse you filed your DD-214 with when you got out of the army? Anyone can go look at it. New York just figured this out.

10) Colleges... Colleges have archives that go back decades. Remember when it was normal to put your SSN on all correspondence you had with the university? Go look in some boxes.

11) Look for an example of an FTC consent decree. They're pretty ugly, and can be for seemingly minor violations.

12) How many of you went to a new dentist or doctor and put your SSN somewhere? That was completely optional, and you didn't have to, but you just created a new attack vector on your identity.

The basic point is this... It's purely a feel good measure, with no discernable productive results. Get ID theft insurance, clean your own house, and conduct your own due diligence about people you give your business.

You forgot the outsourcing implications. Sallie Mae for example, handles the vast majority of student loans in the U.S. Those loans have your SSN (and credit history, etc.) all over them. Those loans are now managed almost entirely in Bangalore.

I don't understand how do you not hold the corporation responsible rather than IT manager? The corporations should be held responsible for hiring the right staff. If the staff is not capable of securing the data hire staff that is, simple as that. This bill is rediculous. Once again corporations get away with murder while the little guy gets the shaft.

A better answer to "Sort of" is "That information is confidential for security reasons"

One major problem I see right off is that company (corporation) policies have the effect of law internally. Companies change policies as often as they change personel. Each new boss/manager wants things done "his" way. They must share the burden of legal prosecution too. The idea is very good. It just needs to be well thought out.

This is good news, it's about time someone was held responsible for this. The callous mishandling of personal information in this day and age, is inexcusable. The system doesn't have to be perfect (no system truly can be) but hopefully this will force companies to take proper precautions.

But why the IT manager?

Been there, done that, and in many cases had *very* little say in what our teams could do.

Limitations could be as simple as money, as frustrating as an uninformed (or misinformed) CEO, or as any number of things.

I've never been guilty of not knowing how, or not wanting to secure company and personal data, however, I have many times been completely incapable of doing it any justice at all due to the above limitations.

This will raise the cost of hiring *any* IT management staff, the cost of securing data for all businesses, and put smaller businesses out of business and IT managers who focus more on management than security out of jobs.

Unless they change who's getting blamed, insert some wording with regards to only applying to negligent cases and so on, this bill, as it stands, is a nightmare.

Unfortunately its all speculation right now. I haven't been able to locate actual text from the Bill but what I have read doesn't specify "IT Managers" as the target of wroth which leaves the door open to go after the exec's who refused to fund adequate protections. Also, since the Bill was rejected previously for language that wasn't mentioning "reasonable measures" I find it difficult to believe they would reintroduce the same bill with the same text. They would have to tweak it. If you happen to find an actual copy of the Bill, please link it here.

Eventhough I am all for cracking down on the miss handling of private information.

I am pretty scared of a Bill like this.. Look even if you dry out every resource and make a DB as secure as can be, there will always be some sort of loophole were one can grab at this information. How can you hold an IT manager responsible if he took every messure concievable to protect this information and some way a Hacker still found a way around it?

So are we saying that now IT Managers basically have to hold the Lock and the Key to every single shred of personal information? Do Human Resource ppl have to go through the IT Manager to get "clearance" to view this information?

This Bill is walking a very fine line between great, and freaking impossible.

Not to mention that sometimes IT managers hands are tied to what they can do by upper management and even simple finances.

Security costs money and time. Something many companies are short of on both sides. I'm not for shirking security responsibilities, but sometimes you can only do the best you can and it may not be enough if someone is determined or just plain makes a mistake (takes a DB home on a laptop and their car gets stolen [happened to a coworker of mine, fortunately nothing on it was of any importance]). Who is to blame for that?

This bill like so many is outrageous. Call your senate and house and get it stopped.

Oh crap, the repubs will hate this. What will they do without being able to lose a laptop every week with millions of taxpayer social security numbers and tax ID info on it?

your a freakin loony

The private sector has lost 24x the data our government has. Neither "party" has a leg to stand on.

Good morning, troll. How are you today?

well shhht. time to find a scape goat

Screw them, this bill is bull....
Any good hacker can always hack in and cause damages.
Why don't they blame the ones who made unsecure DB softwares?

WE SHOULD NOT LET IT PASS.

If you aren't worried about personal information security and think this bill is bull then please post your full name, social, phone number, mailing address, and several of your credit cards to this forum.

Don't worry, I mean you blindly trust that it's secure. You just implied you did.

As an IT professional one is directly responsible for what they introduce into their environments. If you install insecure db 2.0 without testing and identifying it's insecure and you are compromised, it's not maker of insecuredb's fault, it's yours.

Thanks.

No matter how much testing one does they will never find all the bugs that make a software insecure...

True, however if you encrypt it on the wire and at rest you can help minimize the impact.

Most IT shops still don't comprehend the basics like that one.

Even minimal testing will identify a large percentage of the bad stuff.

Well, I sincerely doubt anyone could get through into a system with a hardware firewall, Grsecurity, PaX, encrypted hard drives and very obscure routing tables very easily ...

Why should private databases be open to the Internet anyway? Surely all that's needed is a connection to the companies' LAN, or in some cases dedicated WAN? If the machine for some odd reason does need to be connected to the internet, then traffic in and out should be monitored for suspicious activity.

As to physical access to machines with private data on them, this shouldn't be allowed unless strictly necessary.

finally, surely the Judge would decide when ruling whether the "IT Manager" accused had done all that was within her/his power to secure the system? (I have not RTFB)

Why should private databases be open to the Internet anyway?

Because some people like online banking, online bill pay, ebay, amazon, etc.

This bill sounds much too vague to me.

America has been waging a war against small business for many years now. Legislation such as this is just another attack in the campaign. Unless gross negligence can be shown on their behalf, it is insane to suggest holding the IT Manager responsible. If a bill such as this becomes law... small companies will not be able to afford the $120K+ salaries required for an IT Manager/Security Expert plus scheduled Audits... and they will either go out of business or outsource their data centers to another country. As an IT guy I'm ALL for security... but making the IT Manager (who is typically hobbled by upper administration and budget) the scapegoat for a security breach is a step in the wrong direction.

"America has been waging a war against small business for many years now."

Yes--they call that free enterprise--think of it as survival of the fittest. It really is supposed to be that way, it encourages competition.

"Legislation such as this is just another attack in the campaign."

Legislation like this, minus the politics, is designed to hold businesses accountable for losing YOUR personal data. How on earth is that anti-small business?

"Unless gross negligence can be shown on their behalf, it is insane to suggest holding the IT Manager responsible. If a bill such as this becomes law... small companies will not be able to afford the $120K+ salaries required for an IT Manager/Security Expert plus scheduled Audits..."

In California perhaps, but where I live you'd be fortunate to make $50,000 a year working at the frikin University's business department (I know my brother worked there). Perhaps if this happened we'd have better security and not waste money on CEO's salaries.

and they will either go out of business or outsource their data centers to another country."

The outsourcing issue is a problem because the IT industry is flooded with idiots who have pretty resumes but can't tell a network port from a friggin USB port! (please note this is about 40% to 60% of them but not all of them)Rather than risk hiring an idiot, why not pay someone 1/10th the price overseas? No easy answer to this problem--do you have any ideas?

"As an IT guy I'm ALL for security... but making the IT Manager (who is typically hobbled by upper administration and budget) the scapegoat for a security breach is a step in the wrong direction."

Wow. As an IT administrater, my PRIMARY responsibility is network security--I learned that in my net essentials class during my first semester. When is it that personal data became open source?
Seriously, if nobody is responsible, big businesses can screw people around and get away with it. Someone has to be responsible, otherwise you can run your network and allow hackers in every day because frankly you are the expert so you can explain your way out, right?

I understand there are security breaches that may not have anything to do with you or me, but SOMEBODY has to be responsible, or the whole system will remain the @#$%ed up system it is today.

Hmm, are you actually agreeing with something I said?

Though, it's indirect.

heh

Well--I said what I thought anyway, and it just so happens that my opinion seems to agree with yours here, fewt.

Weird, man...