[Owasp-portland] ORS 646A

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Tue Feb 8 01:18:33 EST 2011


Hi James,


> My expectation is that the safeguards listed in section 622 are going to
> get argued in court as due care issues; you should be able to demonstrate 
> that with evidence of comliance to GLBA or HIPAA, as stated. Any of PCI-DSS,
> ISO, NIST, COBIT, ITIL... or a solid InfoSec program or your own creation
> could also suffice. It will be a up to lawyers and expert witnesses
> to argue whether 622 is met or not when this gets applied to a breach.

Yeah, I guess this was the part I was interested in, related to how one
interprets an appropriate ways that one "Assesses the sufficiency of
safeguards in place to control the identified risks" if you are a sole
proprietorship vs. a 10000 employee corporation, etc.  I would imagine
many large organizations already feel the pressure to comply with many
other laws and would be able to argue their way through any of these
rules on how reasonable their security programs are.  But I wonder how
it would be interpreted for local small businesses.  I guess that is for
the courts to define when it comes up.

> Here's one example where the statute was used to coerce a settlement:
> 
> http://clientdatasecurity.com/Oregon-Spruill-Order.pdf
> 
> I'm not aware of much else generating press on this statute.

Interesting.  Maybe it just requires the press to get involved in order
to get this law applied. ;-)

Thanks for the info,
tim



More information about the Owasp-portland mailing list