BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking consequences of data loss

From: Al Mac <macwheel99 () sigecom net>
Date: Wed, 11 Oct 2006 12:53:19 -0500
Many organizations have sustained healthy fines from the FTC in the 
aftermath of breach investigations that found the places that got breached 
were negligent in some way.  I have seen fines in the $ millions.

At least one place has had to declare bankrupsy and go out of business, as 
a result of the loss of confidence in them that came about due to the 
circumstances of the breach, where their business was entirely dependent 
upon the major credit card brands trusting them or approving their security 
arrangements.

There is also a web of lawsuits associated with trying to recover the costs 
of re-issuing credit and debit card accounts.

Another follow-up I would like to see is which of these places were
(a) governed by some security mandate that they violated (which ones) ... 
various gov regulations by industry, such as on this 
list  http://www.unbeatenpathintl.com/ITstandards/source/1.html
(b) seeking to achieve some security standard, such as encryption, ISO 
17799 (which I think is going to be renumbered as 27002) 27001 and BS7799-3 
which will become ISO 27005,  credit card industry standard, DoD standard, 
but failed, or that they did achieve some standard, but the standard was 
not good enough to prevent the breach
If you are unfamiliar with the ISO standards for security ... www.27000.org 
for info on this security standard, which is not just computer security, 
but also physical security
(c) illiterate about security standards


This discussion of quantifying the repercussions of a data breach has me 
wondering if there is a way to make a notation in DLDOS if a company is 
fined or sued as the result of such an incident. I'm not sure it's 
possible to show loss of reputation in any meaningful manner - has anyone 
seen cases where the perpetrator was successfully charged for causing 
either financial losses and loss of reputation?
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 416 incidents over 6 
years.



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 136 million compromised records in 416 incidents over 6 years.
Previous By Date Next
Previous By Thread Next

Current thread: