BreachExchange mailing list archives
Re: rant: Abandon Ship! Data Loss Ahoy!
From: macadamiamac <macadamiamac () gmail com>
Date: Thu, 20 Mar 2008 15:15:23 -1000
A Qualsys (a good system) - or equivalent installation, insurance and whatever other components a business may implement to protect its PII data is not a set it and forget it procedure. Kryptonite proof it ain't. No system is 100% immune from all risk. A savvy CTSO, with the cooperation and support of senior management will implement all of the components: training its personnel, hard and software firewalls, changing passwords periodically, encrypting data in use, purging data no longer needed, periodic random testing of the system, and whatever else to reduce risk of data loss - internal and external. An even smarter management team will have all of the foregoing incorporated into its culture and have on deck 1)a breach management plan; 2)notification and PR templates; 3) a recovery plan; and, 4) a re$erve or insurance.
There are federal regulations - [see FTC 12 CFR ยง 315 et. seq. of the FACT Act], becoming effective in November 2008 that mandate that financial institutions, their providers and anyone else who deals with consumer credit (and the PII data necessary to conduct their business), implement a host of must dos or face penalties.
A not in compliance business that suffers a breach will be subject to:
* Civil Liability - Actual damages
sustained if identity is stolen as a result of
corporate inaction or statutory damages up to
$1,000 per affected individual;
* Class-Action Lawsuits - If large
numbers of individuals are affected, they may be
able to bring class-action suits and get punitive
damages;
* Federal Fines - Up to $2,500 for each violation; and
* State Fines - Up to $1,000 for each
violation depending upon jurisdiction.
So maybe a little insurance isn't such a bad idea, n'est pas?
Sanford Lung
Honolulu (yes, there are ID fraudsters in paradise)
http://www.identitysafeguards.com
Whoops, wrote too soon: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207, 00.html (Thanks to a student post for pointing this out.)-----Original Message----- From: Sasha Romanosky [mailto:sromanos () andrew cmu edu] Sent: Thursday, March 20, 2008 6:27 PM To: 'dataloss () attrition org' Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! To my knowledge, this firm in Canada is the one that offers data breach insurance: From SANS NewsBites Vol. 10 Num. 22: --Canadian Firm to Offer Data Breach Insurance (March 13, 2008) As data security breaches appear more and more frequently in the news, at least one Canadian insurance company is starting to offer a product that would cover costs incurred by companies when they have suffered a data privacy breach. The policy would cover the cost of fixing computer damage as well as costs associated with customer notification and reimbursement and compensation paid to credit card companies for losses from fraud. The coverage is structured to address Canadian data privacy laws. http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS URANCE13/TPStory/Business [Editor's Note (Schultz): Insurance against security incidents in general has not caught on all that well in the information security arena for a number of reasons. However, this new type of insurance is likely to fare much better because of the widespread concern about and high likelihood of data security breaches.] cheers, sasha www.romanosky.net > -----Original Message----- > From: dataloss-bounces () attrition org > [mailto:dataloss-bounces () attrition org] On Behalf Of Kevin McPoyle > Sent: Thursday, March 20, 2008 6:00 PM > To: Chris Walsh; Tracy Blackmore > Cc: dataloss () attrition org > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > What I find interesting is the recognition among the readers and> pundits that this is an imperfect world with respect to security.> > With that in mind, I'm unclear as to why organizationsdon't transfer > a portion of this risk to others through an insurance product? It > seems rational and clearly represents some mitigating of a scenario > that will happen, not if, when. Policies are readily available, > negotiable and clearly a deal compared to other costs. No one like to > "waste" money on insurance...until there is a claim. The supermarket > had D&O with which to fend off the legal dogs. > Why don't they have a "cyber" policy? > Whose making these good decisions? > > -----Original Message----- > From: dataloss-bounces () attrition org > [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh > Sent: Thursday, March 20, 2008 5:49 PM > To: Tracy Blackmore > Cc: dataloss () attrition org > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > IANAL, but this question of "due diligence" and comparing oneself to > one's competitors begs the question -- what harm (in the legal sense) > has been done here to anyone whose CC or debit card # was revealed? > Does your answer vary depending on whether there was fraud associated > with that card #? > > > _______________________________________________ > Dataloss Mailing List (dataloss () attrition org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your > network and monitor your traffic to find the data needing > protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss () attrition org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your > network and monitor your traffic to find the data needing > protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > >_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: rant: Abandon Ship! Data Loss Ahoy!, (continued)
- Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Adam Shostack (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Tracy Blackmore (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Chris Walsh (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Kevin McPoyle (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Eric Nelson (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Kim Zelonis (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! Jamie C. Pole (Mar 19)
- Re: rant: Abandon Ship! Data Loss Ahoy! macadamiamac (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Manny Cho (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 20)
- Re: rant: Abandon Ship! Data Loss Ahoy! Al Mac Wheel (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! James Ritchie, CISA, QSA (Mar 21)
- Re: rant: Abandon Ship! Data Loss Ahoy! lyger (Mar 22)