[Dataloss] rant: Useless Compensation for Data Loss Incidents

Wed Jun 11 12:17:38 UTC 2008

Being a person that actually put an Incident Response Plan together, I can attest to the fact that it the thought process, at least in our case, was "What is the risk to the consumer and what, if anything can we do to help the consumer mitigate that risk?"

Unfortunately, there's just not much else that a company can do after-the-fact.  We hope our efforts before-the-fact prevent us from ever losing such data, but companies are often at the mercy of the competence of a single employee or sub-contractor on a given day (like the tape courier with a hang-over).  Sure, you can put contracts in place and that makes the bean-counters and lawyers happy, but it doesn't please the ex-cop in me because I deal with violations and exceptions of law, it's my world.

If a lost tape is nothing but credit card PAN's I don't think even credit monitoring is called for, but if your SSN or PII is involved then it's at least something you can do to get some level of early warning.

Where I think the actual problem lies is that most company executives (even most company lawyers) have not caught on to the fact that ISO 27002 is becoming a reference standard for courts to establish a level of "due care" (check Lexus Nexus if you don't believe me) and non-compliant organizations are deemed "Wishy Washy" or "Loose".  So, companies are building IT security processes around PCI, or CoBit, or ITIL, which actually falls under the COSO portion of International Law and they think they are covered, when in reality, the COSO organization only covers financial transactions, and they are missing all of the parallel (and the fact they are parallel and complimentary) controls under the OECD (Laws) and ISO (Standards). 

The net effect are security controls that are 1/3 adequate.

________________________________

From: dataloss-bounces at attrition.org on behalf of lyger
Sent: Wed 6/11/2008 3:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents

http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have
received a letter from the careless organization that lost your
information. These letters always offer apologies and sincere hope that
your identity or personal information isn't abused. The recent BNY Mellon
incident (which now stands at 4.5 million potential customers affected)
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are
offering free credit monitoring for 12 whole months! This seemingly
generous offer has apparently become the standard business practice for
acceptable compensation when your personal information is treated with
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
credit monitoring product (despite no mention of that 'product' on the
consumerinfo.com web page), which watches for changes to your credit
reports from the three national credit reporting agencies in the United
States (Experian, Equifax, TransUnion). If you are unlucky and get caught
up in multiple data loss incidents, you may receive this "gracious
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable
compensation? This seems to be another case of one business following
another and... voila, we have an industry 'standard' that does little to
serve the customer but does everything to serve businesses that want to
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.