Take a look at Case Project 7-6: Community Site Activity. You do not need to
logon to the Information Security Community site to complete this assignment.
Read through the narrative regarding Vendor A and Vendor B, then answer the
questions. Provide examples to support your answers. You might also find
guidelines for a suggested timeline, and cases where penalties were applied for
non-compliance. You might do a little research and determine if there are
regulations regarding disclosure for different industries, such as health
care. No more than two pages.
Vendor A was successfully attacked on Monday night and personal customer
information was compromised. The next day, Vendor A sent an e-mail to its customers
that it was the victim of a successful attack that occurred“recently”in
which“certain information”was stolen. Vendor A did not detail what information
was stolen, what direct impact it may have on its customers, or what customers
should do about it, other than some generic statements. Vendor B was also
successfully attacked on Monday night. However, Vendor B waited 10 days
before revealing the attack to its customers, but they included detailed information
about the attack, its consequences, and how customers could protect themselves.
In both cases, clear and immediate information was not distributed. Should
vendors be obligated to inform customers when attacks occur and how to protect
ourselves? What should be the time line for doing so? What should be the
penalties if vendors do not follow such guidelines?