BreachExchange mailing list archives
Re: rant: Useless Compensation for Data Loss Incidents
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Wed, 11 Jun 2008 08:17:38 -0400
Being a person that actually put an Incident Response Plan together, I can attest to the fact that it the thought process, at least in our case, was "What is the risk to the consumer and what, if anything can we do to help the consumer mitigate that risk?" Unfortunately, there's just not much else that a company can do after-the-fact. We hope our efforts before-the-fact prevent us from ever losing such data, but companies are often at the mercy of the competence of a single employee or sub-contractor on a given day (like the tape courier with a hang-over). Sure, you can put contracts in place and that makes the bean-counters and lawyers happy, but it doesn't please the ex-cop in me because I deal with violations and exceptions of law, it's my world. If a lost tape is nothing but credit card PAN's I don't think even credit monitoring is called for, but if your SSN or PII is involved then it's at least something you can do to get some level of early warning. Where I think the actual problem lies is that most company executives (even most company lawyers) have not caught on to the fact that ISO 27002 is becoming a reference standard for courts to establish a level of "due care" (check Lexus Nexus if you don't believe me) and non-compliant organizations are deemed "Wishy Washy" or "Loose". So, companies are building IT security processes around PCI, or CoBit, or ITIL, which actually falls under the COSO portion of International Law and they think they are covered, when in reality, the COSO organization only covers financial transactions, and they are missing all of the parallel (and the fact they are parallel and complimentary) controls under the OECD (Laws) and ISO (Standards). The net effect are security controls that are 1/3 adequate. ________________________________ From: dataloss-bounces () attrition org on behalf of lyger Sent: Wed 6/11/2008 3:32 AM To: dataloss () attrition org Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents http://attrition.org/security/rant/dl-compensation.html Wed Jun 11 03:38:35 EDT 2008 Apacid, Jericho If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn't abused. The recent BNY Mellon incident (which now stands at 4.5 million potential customers affected) resulted in customers receiving such a letter: [.] Notice that in return for having your personal information lost, they are offering free credit monitoring for 12 whole months! This seemingly generous offer has apparently become the standard business practice for acceptable compensation when your personal information is treated with carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" credit monitoring product (despite no mention of that 'product' on the consumerinfo.com web page), which watches for changes to your credit reports from the three national credit reporting agencies in the United States (Experian, Equifax, TransUnion). If you are unlucky and get caught up in multiple data loss incidents, you may receive this "gracious compensation" many times over. First, why is this type of reactive credit monitoring acceptable compensation? This seems to be another case of one business following another and... voila, we have an industry 'standard' that does little to serve the customer but does everything to serve businesses that want to look caring and "customer-centric" in the media. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- rant: Useless Compensation for Data Loss Incidents lyger (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents DAIL, WILLARD A (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents M Barnett - TIFRM (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Derek Rigsby (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Al Mac Wheel (Jun 12)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- <Possible follow-ups>
- Re: rant: Useless Compensation for Data Loss Incidents MKEVHILL (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Nell Walton (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)