Re: Data Security Law
- From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- To: wbfergus@xxxxxxxxx
- Date: Wed, 28 Apr 2010 21:23:37 +0100
I have to say it was the email, organization charts, PowerPoint as well as
the db requirements that got me. It rather looks to me as if the law is so
broadly drafted its unenforceable. Jurisdiction would likely be relevant as
well.
Niall Litchfield
On Apr 28, 2010 9:14 PM, "Bill Ferguson" <wbfergus@xxxxxxxxx> wrote:
This "personally identifiable information" (PII) part has really
caused me lots of heartburn.
According to NIST Special Publication 800-122 (Draft), section 2.2
(Examples of PII Data): (these are just the ones that cause me
heartburn)
Name, such as full name, maiden name, mother's name, or alias.
Address information, such as street address or email address.
Telephone numbers, including mobile, business, and personl numbers.
Information about an individual that is linked or linkable to one of
the above (e.g., date of birth, place of birth, race, religion,
weight, activities, or employment, medical, education, or financial
information).
So, by these flaky definitions, the phone book is chock full of PII.
Every email is PII. About the only thing that isn't PII is a blank
file.
So, even though the folks in my office do nothing except gather
publically available information, analyze it and make some assumptions
and maybe make a few graphs, etc., and then regurgitate out into
another publication, everything still needs to be treated as if it
contained national security secrets since parts of it will certainly
contain some of the above types of data.
--
-- Bill Ferguson
> -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx >
[mailto:oracle-l-bounce@xxxxxxxx
//www.freelists.org/webpage/oracle-l
Other related posts:
