[Dataloss] Tracking consequences of data loss

Al Mac macwheel99 at sigecom.net
Wed Oct 11 13:53:19 EDT 2006 

Many organizations have sustained healthy fines from the FTC in the 
aftermath of breach investigations that found the places that got breached 
were negligent in some way.  I have seen fines in the $ millions.

At least one place has had to declare bankrupsy and go out of business, as 
a result of the loss of confidence in them that came about due to the 
circumstances of the breach, where their business was entirely dependent 
upon the major credit card brands trusting them or approving their security 
arrangements.

There is also a web of lawsuits associated with trying to recover the costs 
of re-issuing credit and debit card accounts.

Another follow-up I would like to see is which of these places were
(a) governed by some security mandate that they violated (which ones) ... 
various gov regulations by industry, such as on this 
list  http://www.unbeatenpathintl.com/ITstandards/source/1.html
(b) seeking to achieve some security standard, such as encryption, ISO 
17799 (which I think is going to be renumbered as 27002) 27001 and BS7799-3 
which will become ISO 27005,  credit card industry standard, DoD standard, 
but failed, or that they did achieve some standard, but the standard was 
not good enough to prevent the breach
If you are unfamiliar with the ISO standards for security ... www.27000.org 
for info on this security standard, which is not just computer security, 
but also physical security
(c) illiterate about security standards

>This discussion of quantifying the repercussions of a data breach has me 
>wondering if there is a way to make a notation in DLDOS if a company is 
>fined or sued as the result of such an incident. I'm not sure it's 
>possible to show loss of reputation in any meaningful manner - has anyone 
>seen cases where the perpetrator was successfully charged for causing 
>either financial losses and loss of reputation?
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>Tracking more than 136 million compromised records in 416 incidents over 6 
>years.

More information about the Dataloss mailing list