[attrition] rant: Partial Truths: A Guide to Legally Covering Up a Data Loss Incident
lyger
lyger at attrition.org
Thu Jul 19 23:08:38 UTC 2007
http://attrition.org/security/rant/z/partialtruths.html
Thu Jul 19 19:05:40 EST 2007
d2d
Steps required:
1. DO NOT TELL THE PRESS.
2. Comply with state laws, as your in-house counsel conveniently
interprets them.
3. If you must tell the press:
* Do not release the total number affected.
* Use ambiguous language that does not even hint at the scope of
the breach (omit quantifiers like: some, all, many, assloads)
* Be sure to include "There have been no reports of misuse...".
* Finally, add a comforting "The (system|file|gnome) was
password protected."
In truth, none of the above-mentioned methods truly cover up a data loss
incident, but they do make them significantly less painful for the
companies who experience the losses. They also do not have nearly the
impact on consumers that breaches reported with full disclosure might. It
is a rather simple process of deception: tell the truth only where you
have to, and tell only the partial truth as required by law.
The IBM tape loss earlier this year is a fantastic example of how to make
a significant breach receive little press. The breach was widely reported,
but since IBM released no numbers there was little scope, and as such the
incident was quickly forgotten. Since IBM won't disclose the numbers, we
assume it was in the millions and if you had dealings with IBM, worked for
IBM, bought from IBM or thought of IBM in a sensual dream, you are
probably affected.
[...]
More information about the attrition
mailing list