<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
[u]</title></head><body>
<div><x-tab> </x-tab>A
Qualsys (a good system) - or equivalent installation, insurance and
whatever other components a business may implement to protect its PII
data is not a set it and forget it procedure. Kryptonite proof
it ain't. No system is 100% immune from all risk.</div>
<div><x-tab> </x-tab>A savvy
CTSO, with the cooperation and support of senior management will
implement all of the components: training its personnel, hard and
software firewalls, changing passwords periodically, encrypting data
in use, purging data no longer needed, periodic random testing of the
system, and whatever else to reduce risk of data loss - internal and
external.</div>
<div><x-tab> </x-tab>An even
smarter management team will have all of the foregoing incorporated
into its culture and have on deck 1)a breach management plan;
2)notification and PR templates; 3) a recovery plan; and, 4) a re$erve
or insurance.</div>
<div><br></div>
<div><x-tab> </x-tab>There
are federal regulations - [see FTC 12 CFR § 315 et. seq. of the
FACT Act], becoming effective in November 2008 that mandate that
financial institutions, their providers and anyone else who deals with
consumer credit (and the PII data necessary to conduct their
business), implement a host of must dos or face penalties.</div>
<div><br></div>
<div><x-tab> </x-tab>A not
in compliance business that suffers a breach will be subject to:</div>
<div><font
color="#000000"><x-tab>
</x-tab>* Civil Liability - Actual damages sustained if identity
is stolen as a result of corporate inaction or statutory damages up to
$1,000 per affected individual;</font></div>
<div><font
color="#000000"><x-tab>
</x-tab>* Class-Action Lawsuits - If large numbers of individuals
are affected, they may be able to bring class-action suits and get
punitive damages; </font></div>
<div><font
color="#000000"><x-tab>
</x-tab>* Federal Fines - Up to $2,500 for each violation;
and </font></div>
<div><font
color="#000000"><x-tab>
</x-tab>* State Fines - Up to $1,000 for each violation depending
upon jurisdiction.</font></div>
<div><br></div>
<div><x-tab> </x-tab>So
maybe a little insurance isn't such a bad idea, n'est pas?</div>
<div><br></div>
<div>Sanford Lung</div>
<div>Honolulu (yes, there are ID fraudsters in paradise)</div>
<div><font size="-1">http://www.identitysafeguards.com</font></div>
<div><br></div>
<hr>
<div><br></div>
<div><br></div>
<blockquote type="cite" cite>Whoops, wrote too soon:<br>
<br>
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1<span
></span>306207,<br>
00.html<br>
(Thanks to a student post for pointing this out.)<br>
<br>
<br>
> -----Original Message-----<br>
> From: Sasha Romanosky [mailto:sromanos@andrew.cmu.edu]<br>
> Sent: Thursday, March 20, 2008 6:27 PM<br>
> To: 'dataloss@attrition.org'<br>
> Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!<br>
><br>
><br>
> To my knowledge, this firm in Canada is the one that offers<br>
> data breach insurance:<br>
><br>
> From SANS NewsBites Vol. 10 Num. 22:<br>
> --Canadian Firm to Offer Data Breach Insurance (March 13,<br>
> 2008) As data security breaches appear more and more<br>
> frequently in the news, at least one Canadian insurance<br>
> company is starting to offer a product that would cover costs<br>
> incurred by companies when they have suffered a data privacy<br>
> breach. The policy would cover the cost of fixing computer<br>
> damage as well as costs associated with customer notification<br>
> and reimbursement and compensation paid to credit card<br>
> companies for losses from fraud. The coverage is structured<br>
> to address Canadian data privacy laws.<br>
>
http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS<br>
> URANCE13/TPStory/Business<br>
><br>
> [Editor's Note (Schultz): Insurance against security<br>
> incidents in general has not caught on all that well in the<br>
> information security arena for a number of reasons. However,<br>
> this new type of insurance is likely to fare much better<br>
> because of the widespread concern about and high likelihood<br>
> of data security breaches.]<br>
><br>
> cheers,<br>
> sasha<br>
> www.romanosky.net<br>
><br>
> > -----Original Message-----<br>
> > From: dataloss-bounces@attrition.org<br>
> > [mailto:dataloss-bounces@attrition.org] On Behalf Of Kevin
McPoyle<br>
> > Sent: Thursday, March 20, 2008 6:00 PM<br>
> > To: Chris Walsh; Tracy Blackmore<br>
> > Cc: dataloss@attrition.org<br>
> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss
Ahoy!<br>
> ><br>
> > What I find interesting is the recognition among the readers
and<br>
> > pundits that this is an imperfect world with respect to
security. </blockquote>
<blockquote type="cite" cite>> > With that in mind, I'm unclear
as to why organizations<br>
> don't transfer<br>
> > a portion of this risk to others through an insurance
product? It<br>
> > seems rational and clearly represents some mitigating of a
scenario<br>
> > that will happen, not if, when. Policies are readily
available,<br>
> > negotiable and clearly a deal compared to other costs.
No<br>
> one like to<br>
> > "waste" money on insurance...until there is a
claim. The<br>
> supermarket<br>
> > had D&O with which to fend off the legal dogs.<br>
> > Why don't they have a "cyber" policy?<br>
> > Whose making these good decisions?<br>
> ><br>
> > -----Original Message-----<br>
> > From: dataloss-bounces@attrition.org<br>
> > [mailto:dataloss-bounces@attrition.org] On Behalf Of Chris
Walsh<br>
> > Sent: Thursday, March 20, 2008 5:49 PM<br>
> > To: Tracy Blackmore<br>
> > Cc: dataloss@attrition.org<br>
> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss
Ahoy!<br>
> ><br>
> > IANAL, but this question of "due diligence" and
comparing<br>
> oneself to<br>
> > one's competitors begs the question -- what harm (in the<br>
> legal sense)<br>
> > has been done here to anyone whose CC or debit card # was
revealed?<br>
> > Does your answer vary depending on whether there was
fraud<br>
> associated<br>
> > with that card #?<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Dataloss Mailing List (dataloss@attrition.org)<br>
> > http://attrition.org/dataloss<br>
> ><br>
> > Tenable Network Security offers data leakage and
compliance<br>
> > monitoring solutions for large and small networks. Scan
your<br>
> > network and monitor your traffic to find the data
needing<br>
> > protection before it leaks out!<br>
> > http://www.tenablesecurity.com/products/compliance.shtml<br>
> > _______________________________________________<br>
> > Dataloss Mailing List (dataloss@attrition.org)<br>
> > http://attrition.org/dataloss<br>
> ><br>
> > Tenable Network Security offers data leakage and
compliance<br>
> > monitoring solutions for large and small networks. Scan
your<br>
> > network and monitor your traffic to find the data
needing<br>
> > protection before it leaks out!<br>
> > http://www.tenablesecurity.com/products/compliance.shtml<br>
> ><br>
> ><br>
<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
http://attrition.org/dataloss<br>
<br>
Tenable Network Security offers data leakage and compliance
monitoring<br>
solutions for large and small networks. Scan your network and monitor
your<br>
traffic to find the data needing protection before it leaks out!<br>
http://www.tenablesecurity.com/products/compliance.shtml<br>
<br>
<br>
</blockquote>
<div><br></div>
</body>
</html>