BreachExchange mailing list archives
Re: Tracking consequences of data loss
From: Al Mac <macwheel99 () sigecom net>
Date: Wed, 11 Oct 2006 12:53:19 -0500
Many organizations have sustained healthy fines from the FTC in the aftermath of breach investigations that found the places that got breached were negligent in some way. I have seen fines in the $ millions. At least one place has had to declare bankrupsy and go out of business, as a result of the loss of confidence in them that came about due to the circumstances of the breach, where their business was entirely dependent upon the major credit card brands trusting them or approving their security arrangements. There is also a web of lawsuits associated with trying to recover the costs of re-issuing credit and debit card accounts. Another follow-up I would like to see is which of these places were (a) governed by some security mandate that they violated (which ones) ... various gov regulations by industry, such as on this list http://www.unbeatenpathintl.com/ITstandards/source/1.html (b) seeking to achieve some security standard, such as encryption, ISO 17799 (which I think is going to be renumbered as 27002) 27001 and BS7799-3 which will become ISO 27005, credit card industry standard, DoD standard, but failed, or that they did achieve some standard, but the standard was not good enough to prevent the breach If you are unfamiliar with the ISO standards for security ... www.27000.org for info on this security standard, which is not just computer security, but also physical security (c) illiterate about security standards
This discussion of quantifying the repercussions of a data breach has me wondering if there is a way to make a notation in DLDOS if a company is fined or sued as the result of such an incident. I'm not sure it's possible to show loss of reputation in any meaningful manner - has anyone seen cases where the perpetrator was successfully charged for causing either financial losses and loss of reputation? _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 136 million compromised records in 416 incidents over 6 years.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 136 million compromised records in 416 incidents over 6 years.
Current thread:
- Tracking consequences of data loss B.K. DeLong (Oct 11)
- Message not available
- Re: Tracking consequences of data loss Al Mac (Oct 11)
- Re: Tracking consequences of data loss B.K. DeLong (Oct 11)
- Re: Tracking consequences of data loss Adam Shostack (Oct 11)
- Re: Tracking consequences of data loss blitz (Oct 11)
- Re: Tracking consequences of data loss Al Mac (Oct 11)
- Message not available