[Dataloss] rant: Abandon Ship! Data Loss Ahoy!

macadamiamac macadamiamac at gmail.com
Fri Mar 21 01:15:23 UTC 2008 

	A Qualsys (a good system) - or equivalent 
installation, insurance and whatever other 
components a business may implement to protect 
its PII data is not a set it and forget it 
procedure. Kryptonite proof it ain't. No system 
is 100% immune from all risk.
	A savvy CTSO, with the cooperation and 
support of senior management will implement all 
of the components: training its personnel, hard 
and software firewalls, changing passwords 
periodically, encrypting data in use, purging 
data no longer needed, periodic random testing of 
the system, and whatever else to reduce risk of 
data loss - internal and external.
	An even smarter management team will have 
all of the foregoing incorporated into its 
culture and have on deck 1)a breach management 
plan; 2)notification and PR templates; 3) a 
recovery plan; and, 4) a re$erve or insurance.

	There are federal regulations - [see FTC 
12 CFR § 315 et. seq. of the FACT Act], becoming 
effective in November 2008 that mandate that 
financial institutions, their providers and 
anyone else who deals with consumer credit (and 
the PII data necessary to conduct their 
business), implement a host of must dos or face 
penalties.

	A not in compliance business that suffers a breach will be subject to:
	* Civil Liability - Actual damages 
sustained if identity is stolen as a result of 
corporate inaction or statutory damages up to 
$1,000 per affected individual;
	* Class-Action Lawsuits - If large 
numbers of individuals are affected, they may be 
able to bring class-action suits and get punitive 
damages; 
	* Federal Fines - Up to $2,500 for each violation; and 
	* State Fines - Up to $1,000 for each 
violation depending upon jurisdiction.

	So maybe a little insurance isn't such a bad idea, n'est pas?

Sanford Lung
Honolulu  (yes, there are ID fraudsters in paradise)
http://www.identitysafeguards.com




>Whoops, wrote too soon:
>
>http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207,
>00.html
>(Thanks to a student post for pointing this out.)
>
>
>>  -----Original Message-----
>>  From: Sasha Romanosky [mailto:sromanos at andrew.cmu.edu]
>>  Sent: Thursday, March 20, 2008 6:27 PM
>>  To: 'dataloss at attrition.org'
>>  Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
>>
>>
>>  To my knowledge, this firm in Canada is the one that offers
>>  data breach insurance:
>>
>>  From SANS NewsBites Vol. 10 Num. 22:
>>  --Canadian Firm to Offer Data Breach Insurance (March 13,
>>  2008) As data security breaches appear more and more
>>  frequently in the news, at least one Canadian insurance
>>  company is starting to offer a product that would cover costs
>>  incurred by companies when they have suffered a data privacy
>>  breach. The policy would cover the cost of fixing computer
>>  damage as well as costs associated with customer notification
>>  and reimbursement and compensation paid to credit card
>>  companies for losses from fraud. The coverage is structured
>>  to address Canadian data privacy laws.
>>  http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS
>>  URANCE13/TPStory/Business
>>
>>  [Editor's Note (Schultz): Insurance against security
>>  incidents in general has not caught on all that well in the
>>  information security arena for a number of reasons. However,
>>  this new type of insurance is likely to fare much better
>>  because of the widespread concern about and high likelihood
>>  of data security breaches.]
>>
>>  cheers,
>>  sasha
>>  www.romanosky.net
>>
>>  > -----Original Message-----
>>  > From: dataloss-bounces at attrition.org
>>  > [mailto:dataloss-bounces at attrition.org] On Behalf Of Kevin McPoyle
>>  > Sent: Thursday, March 20, 2008 6:00 PM
>>  > To: Chris Walsh; Tracy Blackmore
>>  > Cc: dataloss at attrition.org
>>  > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
>>  >
>>  > What I find interesting is the recognition among the readers and
>>  > pundits that this is an imperfect world with respect to security. 
>  > > With that in mind, I'm unclear as to why organizations
>>  don't transfer
>>  > a portion of this risk to others through an insurance product?  It
>>  > seems rational and clearly represents some mitigating of a scenario
>>  > that will happen, not if, when.  Policies are readily available,
>>  > negotiable and clearly a deal compared to other costs.  No
>>  one like to
>>  > "waste" money on insurance...until there is a claim.  The
>>  supermarket
>>  > had D&O with which to fend off the legal dogs.
>>  > Why don't they have a "cyber" policy?
>>  > Whose making these good decisions?
>>  >
>>  > -----Original Message-----
>>  > From: dataloss-bounces at attrition.org
>>  > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
>>  > Sent: Thursday, March 20, 2008 5:49 PM
>>  > To: Tracy Blackmore
>>  > Cc: dataloss at attrition.org
>>  > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!
>>  >
>>  > IANAL, but this question of "due diligence" and comparing
>>  oneself to
>>  > one's competitors begs the question -- what harm (in the
>>  legal sense)
>>  > has been done here to anyone whose CC or debit card # was revealed?
>>  > Does your answer vary depending on whether there was fraud
>>  associated
>>  > with that card #?
>>  >
>>  >
>>  > _______________________________________________
>>  > Dataloss Mailing List (dataloss at attrition.org)
>>  > http://attrition.org/dataloss
>>  >
>>  > Tenable Network Security offers data leakage and compliance
>>  > monitoring solutions for large and small networks. Scan your
>>  > network and monitor your traffic to find the data needing
>>  > protection before it leaks out!
>>  > http://www.tenablesecurity.com/products/compliance.shtml
>>  > _______________________________________________
>>  > Dataloss Mailing List (dataloss at attrition.org)
>>  > http://attrition.org/dataloss
>>  >
>>  > Tenable Network Security offers data leakage and compliance
>>  > monitoring solutions for large and small networks. Scan your
>>  > network and monitor your traffic to find the data needing
>>  > protection before it leaks out!
>>  > http://www.tenablesecurity.com/products/compliance.shtml
>>  >
>>  >
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080320/a3453f0e/attachment.html

More information about the Dataloss mailing list