Re: confirming victims of data breaches?

["Mike Simon" <msimon () creationlogic com>]

Interesting discussion, and great insight from each of you. One of the
problems I wrestle with is that one cannot always be clear about what
records were actually compromised. In a situation where (for example)
a hacker gains access to a transaction stream, the hacker doesn't get
the whole database, but just what flowed by while they had access. In
that case, it should be theoretically possible to notify only those
persons who's data was exposed during that window.

I'm usually all for broad notification and information sharing, but
the expenses of notification and remediation on a per-record basis
could mean the difference between a minor incident for the company and
bankruptcy. WRT this thread, as long as you have a handle on who's
data was exposed, you could certainly still respond to queries from
customers, but as was mentioned earlier, you would need extraordinary
means of authenticating the caller/inquirer so as to not further
compromise customers.

At some price point per record, it becomes cost effective to do the
analysis and notify only the affected rather than pay for
notification, credit monitoring and such for your whole database.

Mike Simon
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml