[Dataloss] [vanderaj at greebo.net: SF new column announcement: Strict liability for data breaches?]

Tue Feb 21 13:14:20 EST 2006

RE: The radio analogy:

That took one massive disaster with thousands of lives lost. Those 
kinds of incidents seem to pique interest in "getting it right", much 
the same as the disaster of 9.11 inspired major changes to the 
building codes now used in regards to stairwell design, fire-proofing 
and emergency procedures.

So far we haven't learned of a major disaster in dataloss of any 
great magnitude, primarily (I would suppose) because #1) they dont 
want us to know about it. #2) Insurance they've bought covers it, and 
theres no incentive for the insurance companies to reveal the 
magnitude or method of the losses, lest they inspire someone else to 
use the same tact, or #3) (Which is my favorite, most probibal 
theory) They can simply charge off to the consumers, the costs of 
losses, either in higher rates, premiums, costs of insurance, etc. 
etc. etc. Which fleeces ALL equally, giving them a way to profiteer 
off their losses. And since this is particularly despicable, raping 
those that DO practice good, safe, best practices, its a thing they 
readily absorb, and jack up the rates making everyone pay excessive amounts.
This is the theory of auto insurance, take the worst drivers, and 
rape everyone at a fraction of their rates, and spread the costs over 
the base who do not drive bad. This insures continued fleecing of the 
very worst drivers at confiscatory rates, while a few dollars more 
from everyone adds up to huge profits.

So until  major dataloss incident, that can not be covered up, flows 
out onto the street and people scream for preventive measures, don't 
hold your breath. Something like a few billion being scammed by the 
Russian mob doesn't even come close here. Hell, the US Housing and 
Urban Development (HUD) took a $4 billion loss and nary batted an 
eyeball, (like how many of us heard of it?) so if they're not 
blinking at a few billion, what DOES constitute as a major incident?

Money doesn't seem to count, peoples information is more sensitive by 
far. Money doesn't make noise, people DO! And rest assured, one of 
these days, some deep pockets organization will do something horribly 
incompetent, and hundreds of thousands will start a class action suit 
that will cripple them enough to cause everyone else to rethink 
security from the ground up. We can all hope that's the way it goes, 
because if we let the law-vultures have a go at writing rules and 
regs, we're starting at the very rock bottom of incompetency.

>Best practices also change quickly--from the introduction of radio to
>the time that a ship was expected to have a radio to avoid negligence
>wasn't all that long.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20060221/41228f83/attachment.html 