Posts made by DustinB3403

I'm not certain, its just a troll that we have going for SW because of their most recent bug.

Come on everyone, Cisco needs to be in at least 2nd place.

Vote Harder!

Gotta be one of the best interviews to be in (even if it would never happen in real life)

I think this ruling leans more towards, "You'd better follow best practices with regards to private client information (which isn't it all private), and if you don't and are breached, regardless of the cause you'll be fined for said breach."

@scottalanmiller So a smarter hacker (or team) who breaches even the best implementation of IT security would still be fined, because they didn't go out of their way to further test the security systems that are current best practice. Because that is exactly were this leads too.

Again I am all for the new power, I'm just playing devil's advocate.

@scottalanmiller Those are simple examples.

Lets use the example of trafficking illegal drugs across the border, then from state to state trafficking the drug money.

There is a minimum for those.

@scottalanmiller said:

@DustinB3403 said:

Which I suspect that a "minimum fine" will be developed for all these sorts of cases.

Which I'd imagine would make many businesses pay the fine and close shop.

Why would a minimum fine be unlikely? There are minimum fines for DWI's, using drugs, blantant theft from a person or business.

Its all a matter of reasonable restitution. If 300 people's private information is stolen during a breach. Lets (and just for argument sake) say that the FMV of that stolen data is $5 Million . Credit value, cash, property . What ever it might be.

A minimum restitution to the allowed loss of that FMV has to exist. Otherwise the company that allowed the loss to happen in the first place (and who is at fault) could possibly only pay $100,000 fine. Or almost no fine at all.

Setting a minimum doesn't mean that it will always be used as the value at which stolen information is valued. Where fines are applied from.

It means (at least it should IMO) that if your found guilty of blantant disregard for customer privacy you will pay X dollars and UP as appropriate for the level of the breach.

Quiet honestly I'd want a 1:1 ratio of value:fine but that will likely never happen.

Which I suspect that a "minimum fine" will be developed for all these sorts of cases.

Which I'd imagine would make many businesses pay the fine and close shop.

I wouldn't say its a number of wrongdoing that the FTC should over look at all.

Nor should they overlook any if it's practical for them to enforce every possible case.

This new power needs to be applied equally, and judgement (fines) applied appropriately (to the scale of the breach, not to the size (profits) that the company makes. Not just a demand for a blank check so to speak from the defendant.

The precedent isn't for this exact case, but as a general practice, "We've done it before, lets go again for another round"

It's how people, not just govt function.

Do something again and again because it's the most simple and rewarding process to do. What happens to the collected monies from the sued companies, does it go towards the damaged parties, or does the govt keep it?

I'd hope it goes to the damaged parties, likely some or most of it does. But some of it definitely goes to the agents supporting those damaged parties. In one way or another. Which would lead to corruption.

@scottalanmiller I completely hope that that FTC does and will do the correct thing with this new precedent. But I suspect that what will come from this will be more of the chase every company large and small for any penny that the govt can get.

Now, this isn't a bad this in its self, immediately as many companies will get the hint that they need to improve their security policies and practices.

But what will likely come from it is more businesses will simply try to become more deceptive about their practices because "well its to much (money, work, difficult) to (implement / keep current) with current standards.

@scottalanmiller said:

Not that I feel that companies should not be allowed to manipulate. Marketing is all about manipulation and no one gets manipulated that doesn't allow themselves to be. So I don't feel that people should be protected from it. As long as it isn't deceptive.

So all advertising should have a disclaimer that says "Your are being manipulated to give us your money" at the bottom of the package or screen?

@scottalanmiller said:

This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.

Pirating software is simply a choice that many people and companies due because they don't value the software, but they should.

I personally agree any company who doesn't follow best practices should be pressured to get up to "standard" if they aren't already (by law suit). What I don't want / hope I guess is that the FTC doesn't begin blindly suing companies of any size because new technology hasn't immediately been implemented. Even if 1 of their competitors has implemented it.

It would seem to be unfair if I worked at company A, and called the FTC on company B who didn't immediately implement the newest security measure for my own gain of possibly putting company B out of business so I have less competition. Even if company B offers a better higher quality product.

Is it fair, yeah, does it seem just, no of course not. I can see many businesses in this scenario being royally boned because of slighted competitors.

Yeah I really think the FTC finally has some ability to enforce best practices.

My only concern is that the FTC could very easily begin using this power to chase down SMB's who even for a lack of trying aren't capable of implementing 'Best practices' at the time of the suit.

By this I mean, the FTC may bring a suit against an SMB who is very well secured, but a new procedure or process is developed that (and think just crazy nonsense here) everyone should immediately implement because if they don't then their just being negligent.

But this solution would cost any business SMB, Enterprise etc upwards of $20,000 (for example, I know its small change relatively speaking)

So now every SMB and Enterprise who can't immediately implement this new best practice is on the block to be sued by the FTC.

Hopefully it won't go that way, as best practices do vary based on business clientele. But who's to say it wont.

True, NAS would be an option. I'm simply looking at alternative in a very general light of anything other than laCie as 2 distinct units have both had drives fail with 3 weeks of each other.

Reading through the court ruling, the court in this case actually found and agreed / used "unfair methods of competition in commerce" (bottom of page 12 / top of page 13 of the PDF)

"The Federal Trade Commission Act of 1914 prohibited “unfair methods of competition in commerce.” Pub. L. No. 63-203, § 5, 38 Stat. 717, 719 (codified as amended at 15 U.S.C. § 45(a)). Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ . . . by enumerating the particular practices to which it was intended to apply.” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239–40 (1972) (citing S. Rep. No. 63-597, at 13 (1914)); see also S. Rep. No. 63-597, at 13 (“The committee gave careful consideration to the question as to whether it would attempt to define the many and variable unfair practices which prevail in commerce . . . . It concluded that . . . there were too many unfair practices to define, and after writing 20 of them into the law it would be quite possible to invent others.” (emphasis added)). The takeaway is that Congress designed the term as a “flexible concept with evolving content,” FTC v. Bunte Bros., 312 U.S. 349, 353 (1941), and “intentionally left [its] development . . . to the Commission,” Atl. Ref. Co. v. FTC, 381 U.S. 357, 367 (1965).
After several early cases limited “unfair methods of competition” to practices harming competitors and not consumers, see, e.g., FTC v. Raladam Co., 283 U.S. 643 (1931), Congress inserted an additional prohibition in § 45(a) against “unfair or deceptive acts or practices in or affecting commerce,” Wheeler-Lea Act, Pub. L. No. 75-447, § 5, 52 Stat. 111, 111 (1938).
For the next few decades, the FTC interpreted the unfair-practices prong primarily through agency adjudication. But in 1964 it issued a “Statement of Basis and Purpose” for unfair or deceptive advertising and labeling of cigarettes, 29 Fed. Reg. 8324, 8355 (July 2, 1964), which explained that the following three factors governed unfairness determinations:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise—whether, in other words, it is within at least the penumbra of some common-law, statutory or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes
Case: 14-3514 Document: 003112053032 Page: 13 Date Filed: 08/24/2015
14
substantial injury to consumers (or competitors or other businessmen).

So the guidelines are structured to develop and grow as IT grows and develops. So it isn't a stringent "this is how to do it"

My goal personally in any system would be to have the storage directly attached to the server. And not use external USB drives as network shares.

Court Ruling

Original Article

So will the FTC sue the US Govt?

In our current environment we're very limited to the available 3.5" or 2.5" bays to install spinning rust, or SSD's.

But we have plenty of USB access on each of these systems.

Anyways that is outside of the scope of the question. Which if you had to purchase USB External storage, what would you purchase for use in a business (enterprise) environment.

@Dashrender

Yes (at least with what we have currently) Which that is planning on being changed to newer hardware.