[Dataloss] rant: Abandon Ship! Data Loss Ahoy!
Adam Shostack
adam at homeport.org
Thu Mar 20 18:08:24 UTC 2008
On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote:
| > On the public policy issue, I agree. If you want companies to disclose
| > the exact circumstances around a breach (exact technical details), there
| > will have to be a shield that prevents plaintiffs attorney's from using
| > the information in lawsuits.
|
| You highlight an interesting trade-off. It may be the case that more
| disclosure would reduce incentives to prevent future breaches,
| depending on how we understand the problem.
|
| A standard policy tool for enforcing maximum diligence is the threat
| of lawsuits, massive ones that can wreck a corporation. If we follow
| this liability argument (as advanced by Schneier and other scholars of
| the economics of information security) then making concessions to
| corporate defendants can impede the end goal of less data retention
| and greater data protection.
|
| If we don't think we're ever going to get there, then more data about
| breaches for the purposes of research is clearly the greater good.
| This is a very interesting dynamic. I'll have to think about how to
| model it...
For this policy to be effective, costs must be aligned with a failure
to take effective measures. Today, we lack the data to asses how
effective various 'best practices' or standards are. Gene Kim and
company have done work showing that a few part of COBIT are key, and
others are not correlated with they outcomes they studied. (There's a
CERIAS talk video you can find.) There's claims that Hannaford was
PCI complaint. Shouldn't that have made them secure?
So lawsuits today are random. With better data, we may be able to
better attribute blame. Perhaps this shapes a temporary liability
shield, with a goal of revisiting it later, or allowing case law to
shape it for a while?
Adam
More information about the Dataloss
mailing list