this post was submitted on 07 Aug 2024
515 points (98.5% liked)

Technology

57997 readers
2848 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
515
2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed (www.tomsguide.com)
submitted 1 month ago by fmstrat@lemmy.nowsci.com to c/technology@lemmy.world
141 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Ebby@lemmy.ssba.com 26 points 1 month ago (12 children)

Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.

I'm thinking 3 categories: Reporting, oversight, and accountability.

Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.

Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.

Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.

[–] Asifall@lemmy.world 1 points 1 month ago

I think we also need levels of PII or something, maybe a completely different framework.

There’s this pattern I see at work where you want to have a user identifiable by some key, so you generate that key when an account is created and then you can pass that around instead of someone’s actual name or anything. The problem though, is that as soon as you link that value to user details anywhere in your system that value itself becomes PII because it could be used to correlate more relevant PII in other parts of your system. This viral property it has creates a situation where a stupid percentage of your data must be considered PII because the only way it isn’t is if it can be shown that there is no way to link the data to anybody’s personal information across every data store in the company.

So why is this a problem? Because if all data is sensitive none of it is. It creates situations where the production systems are so locked down that the only way for engineers to do basic operations is to bend the rules, and inevitably they will.

Anyway, I don’t know what the solution is but I expect data leaks will continue to be common passed the point when the situation is obviously unsustainable

load more comments (11 replies)