Too Much Media / NATS May Be in Violation of NJ Statute 56:8-163

[minusonebit]

John, have you complied with your legal obligation to notify New Jersey residents of the fact that you suffered a security breach? You were required to do this when you discovered the breach, if you haven't done it yet, its too late already.

http://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM

C.56:8-163 Disclosure of breach of security to customers.

12. a. Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. The disclosure to a customer shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection c. of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.

b. Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person.

c. (1) Any business or public entity required under this section to disclose a breach of security of a customer's personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.

(2) The notification required by this section shall be delayed if a law enforcement agency determines that the notification will impede a criminal or civil investigation and that agency has made a request that the notification be delayed. The notification required by this section shall be made after the law enforcement agency determines that its disclosure will not compromise the investigation and notifies that business or public entity.

d. For purposes of this section, notice may be provided by one of the following methods:

(1) Written notice;

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 101 of the federal "Electronic Signatures in Global and National Commerce Act" (15 U.S.C. s.7001); or

(3) Substitute notice, if the business or public entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business or public entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

(a) E-mail notice when the business or public entity has an e-mail address;

(b) Conspicuous posting of the notice on the Internet web site page of the business or public entity, if the business or public entity maintains one; and

(c) Notification to major Statewide media.

e. Notwithstanding subsection d. of this section, a business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the business or public entity notifies subject customers in accordance with its policies in the event of a breach of security of the system.

f. In addition to any other disclosure or notification required under this section, in the event that a business or public entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the business or public entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis, as defined by subsection (p) of section 603 of the federal "Fair Credit Reporting Act" (15 U.S.C. s.1681a), of the timing, distribution and content of the notices.

http://www.njleg.state.nj.us/2004/Bills/PL05/226_.HTM

[dissipate]

Magically Sigalicious

[polish_aristocrat]

sig spot and Merry Christmas

[Ross]

So anyone from NJ using stats could "legally" sue TMM?

So long as nobody suffered any financial loss I don't think they will bother.

[minusonebit]

Never mind the fact that there are at least 38 other states that require notifications. It looks like John could be in breach of the laws of more than half of the states in the Union. If you are in one of these states, read the statute applicable to your state and see if he was required to notify you even though he is setup in New Jersey. If he was setup somewhere else, he was still required to notify any NJ residents he did business with.

http://www.ncsl.org/programs/lis/cip...breachlaws.htm

[JFK]

Quote:

Originally Posted by dissipate

Magically Sigalicious

indeed it IS

[tony286]

man someone is doing their homework.

[donnylong]

OH SNAP

[Iron Fist]

Quote:

Originally Posted by dissipate

Magically Sigalicious

[DamageX]

Very interesting.

[NoComments]

Quote:

Originally Posted by minusonebit

Never mind the fact that there are at least 38 other states that require notifications. It looks like John could be in breach of the laws of more than half of the states in the Union. If you are in one of these states, read the statute applicable to your state and see if he was required to notify you even though he is setup in New Jersey. If he was setup somewhere else, he was still required to notify any NJ residents he did business with.

http://www.ncsl.org/programs/lis/cip...breachlaws.htm

note to self:
don't threaten anybody with law suits. Keeping quite and burning them alive is much better option.

[st0ned]

Hmmm sig spot?

[Barefootsies]

Quote:

Originally Posted by minusonebit

Too Much Media / NATS May Be in Violation of NJ Statute 56:8-163

Wow.... and to think you are wasting all your expertise in porn.

Go back to law school chief.

[CurrentlySober]

i only have a tiny sig...

[CurrentlySober]

but its what i do with it that counts...

[~Ray]

niche is king....

[SuzzyQ]

John, You have yet to notify Connecticut residents also. It appears you are in violation of Connecticut SB 605. The state of Connecticut takes these things very seriously. The AG has no problems pressing charges.

[Enemator]

Reminder: MINUSONEBIT posted 300 webmaster passwords on his weblog for every sciptkiddie to abuse. He's just trying to get into the good books again.

Ignore this asshole.

[Enemator]

As a matter of fact, Minusonebit. Are you not responsible for these NATS-logins? I would not be surprised if you were

[Dirty F]

Quote:

Originally Posted by tony404

man someone is doing their homework.

Yeah minusonebit fights for his privacy rights! One of his biggest achievements is suing a pizzaplace because they printed some CC digits on his receipt. Without people like him big brother would have all our info allready.


And without people like him 300 webmaster passwords, usernames, addresses etc werent posted on his "security" blog. Because, its funny, everything he stands for suddenly dissapears when he can make 2 bucks extra a day with adsense.

[frankski]

hmmm interesting...I guess that's why I got that email today, as brief as it was...

let me take my big & beautiful New Joiseyan ass and do some reading....

[Damian_Maxcash]

I havnt looked at the threads in detail - was it TMMs or the Progs servers that have been breached?

If it was all the programs then you ae just fucking the victims with this.....

[Dirty F]

Actually Minusonebit's fight is about one thing. And thats not what he tries to let us think it is: protecting us from "big brother", no, its about trying to fill his always empty pockets.

Minusonebit is a broke little scumbag rat. A leech, a bloodsucker. Posting 300 passwords of webmasters was absolutely no problem for him because it gave him some controversial content on his blog which results in a few more adsense clicks.

Hes the type of person who would drop some pudding on the supermarket floor, then "accidentelly" slip in it so he can sue them. You know what i mean.

[tdfcash3]

very very interesting!

[ninavain]

whoa, this is a bit messy, glad I never went to NATS

[Due]

I'm sorry but this is not something that NATS / John must do, but this is something the PROGRAM OWNER must do.
It is not NATS that keep and maintain the databases that was compromised, they designed it, but they do not keep and maintain it.

[Lee]

Quote:

Originally Posted by Due

I'm sorry but this is not something that NATS / John must do, but this is something the PROGRAM OWNER must do.
It is not NATS that keep and maintain the databases that was compromised, they designed it, but they do not keep and maintain it.

Thats how I would have thought it worked, but what do I know?

[JOKER]

Quote:

Originally Posted by Due

I'm sorry but this is not something that NATS / John must do, but this is something the PROGRAM OWNER must do.
It is not NATS that keep and maintain the databases that was compromised, they designed it, but they do not keep and maintain it.

In order that they can do that, NATS actually has to officially inform the Program Owners of the breach first of all - this being his step in it - as depending on his DB setup, besides their Admin-logins, their sensitive data might have been compromised as well?

At least that's how I understand it?

[check]

Everyone should report this to the media, news and fbi.
This will force fbi investigation.

Million people(my ssn ...etc too) may lost their info.

It is easy job for fbi to find who did all this.

Here is fbi report form:

https://complaint.ic3.gov/Default.aspx

just do it.

[minusonebit]

Quote:

Originally Posted by Due

I'm sorry but this is not something that NATS / John must do, but this is something the PROGRAM OWNER must do.
It is not NATS that keep and maintain the databases that was compromised, they designed it, but they do not keep and maintain it.

Well, they do seem to maintain it. That is what started this whole thing, mismanagement of the maintenance accounts. But you do raise a valid point as to who should actually be sending the notifications. For that, I guess we'd have to look at the contracts NATS has with it's clients and see who is responsible for what. But I am gonna go out on a limb and guess that we'll never, ever see any of those. So its anyone's guess as to who is actually responsible for it. But if the NATS client contract was as thought out as the TMM/NATS response and solution to the rest of this mess, its probably safe to say that it could would not be defined in the contract and either or both should have and were responsible for seeing that it is done. A great example of that ounce of prevention being worth a pound of cure.

[cykoe6]

Why does everyone have such a hard on too make this situation worse than it is? Just what this business needs....... more bad press or investigations.

[Varius]

"without unreasonable delay"

I'm sure if it ever came to it, his lawyer could just easily argue the delay IS reasonable as they are still trying to gather exactly what information was stolen

Man I'm so glad I don't live in the USA, I'm sure I'd get sued every day for something ridiculous. Do you guys have lawyers representing insects yet in case I step on one ?

[SmokeyTheBear]

Quote:

Originally Posted by Ross

So long as nobody suffered any financial loss I don't think they will bother.

every company that got hit suffered a huge financial loss, they have their members scooped from them.. that can't help the rebills.

[SmokeyTheBear]

Quote:

Originally Posted by cykoe6

Why does everyone have such a hard on too make this situation worse than it is? Just what this business needs....... more bad press or investigations.

half the reason this industry is in this mess is because people let things like this slide

[DamageX]

Quote:

Originally Posted by SmokeyTheBear

half the reason this industry is in this mess is because people let things like this slide

Half?

[minusonebit]

Quote:

Originally Posted by SmokeyTheBear

half the reason this industry is in this mess is because people let things like this slide

I agree completely, but I'd put the number closer to 95%.

Quote:

Originally Posted by Varius

"without unreasonable delay"

I'm sure if it ever came to it, his lawyer could just easily argue the delay IS reasonable as they are still trying to gather exactly what information was stolen

That would be a good tactic for the lawyer to try if the other side had a fence post representing them that was asleep at the counsel table, but thats not what the law says. The law doesn't say they get to wait until they nailed down with exact certainty what was stolen and how, it says that as soon as you know a breach happened you start notifying people. And anyway, we are talking about a matter of months gone by here. Thats gonna be a very hard sell to the Court that it took them about three months to determine that a breach had happened and who was effected (and even now they still don't seem to know what happened). Maybe if they were AT&T and had to search every single central office switch in the world that could fly, but they aren't. They have - at the most - 1,000 servers to search and most of them probably easily accessible. The maximum amount of time that should take is a few days for someone busting ass to find something.

[notoldschool]

Quote:

Originally Posted by check

Everyone should report this to the media, news and fbi.
This will force fbi investigation.

Million people(my ssn ...etc too) may lost their info.

It is easy job for fbi to find who did all this.

Here is fbi report form:

https://complaint.ic3.gov/Default.aspx

just do it.

THIS IS NOT A WEBMASTER.

This guys works for the other side you see. He trolls adult boards looking for ways to bring down our industry as a full time job for the extreme right. Please pay not attention to the disallusioned.

[notoldschool]

Quote:

Originally Posted by minusonebit

I agree completely, but I'd put the number closer to 95%.



That would be a good tactic for the lawyer to try if the other side had a fence post representing them that was asleep at the counsel table, but thats not what the law says. The law doesn't say they get to wait until they nailed down with exact certainty what was stolen and how, it says that as soon as you know a breach happened you start notifying people. And anyway, we are talking about a matter of months gone by here. Thats gonna be a very hard sell to the Court that it took them about three months to determine that a breach had happened and who was effected (and even now they still don't seem to know what happened). Maybe if they were AT&T and had to search every single central office switch in the world that could fly, but they aren't. They have - at the most - 1,000 servers to search and most of them probably easily accessible. The maximum amount of time that should take is a few days for someone busting ass to find something.

BTW hows your war on adult doing with epassporte? are they still running?

[Sly]

Quote:

Originally Posted by Varius

"without unreasonable delay"

I'm sure if it ever came to it, his lawyer could just easily argue the delay IS reasonable as they are still trying to gather exactly what information was stolen

Man I'm so glad I don't live in the USA, I'm sure I'd get sued every day for something ridiculous. Do you guys have lawyers representing insects yet in case I step on one ?

I always kind of laugh about people that always talk about lawsuits. It always makes me wonder how many of them have actually ever filed a lawsuit. I don't know about you guys... but nobody I know likes spending time in court... especially when problems can be solved in other ways.

In my opinion, lawsuits, should typically be a last resort.

[RudeBoy]

so minusonebit are u planning to sue anyone ?

[2012]

[Darkland]

I think the people these days who jump on the sue bandwagon for personal gain with no real need other than the fact that they can should be shot.

I tripped and fell somewhere, let's sue the owner of the parking lot or store.

I burnt myself on coffee thats SUPPOSED to be hot, lets sue the store.

I got fat cause I eat unhealthy and greasy food, sue the store, it has to be their fault right. It goes on and on and on.

To many people keep a look out for the potential to sue someone for anything and everything. When they should be worrying about their own personal responsibilty in the life they lead.

I am not saying that suing someone is wrong, there are clearly cases when you should. Like if a hospital fucked your life up by doing something wrong or if you are seriously injured by someone. There are 1000's of law suits with real needs but they are far outweighed by the frivolous ones.

Shit happens, and 8 times out of 10, it's the persons fault and no one elses. And even in some of the righteous law suits, and I am not talking about events that seriously affect the rest of your life on this planet, I believe the people who win them are grossly compensated.

The sue because we can and earn a shit load of money we dont deserve is sickening and turning this countries justice system into a joke.

[Gerco]

You know... you may be in violation of being a total moron. I can't believe that I actually wasted the 5 minutes it took to read what you blogged about this whole NATS situation but what REALLY surprised me is your estimate that, and I quote.. "The NATS system is deployed on an estimated 80% to 95% of all adult sites"

seriously... how thick are you? In reading the various posts all over this board I have heard 100 programs, to 1500 programs using them, but 80 to 95% of all adult websites.... LOL

[minusonebit]

Bump... how could we let this die so quickly? Shame, shame!

[pip]

Do you ever shutup? You are a big nothing in the industry