To report, or not to report?

Monday, January 16, 2006

To report, or not to report?

Computerworld is running a story that, “Three more U.S states add laws on data breaches”, but what would be the consequences of this action? Less security breaches? I doubt so. Realistic metrics and reactions whenever an actual breach occurs, as well as its future prevention measures? Now that’s something I think.

Such legislations have a huge impact, both, on the industry, the public opinion, and company itself. No one likes admitting getting hacked, or having sensitive information exposed to unknown and obviously malicious party. Yet, if it wasn't companies reporting these breaches, thousands of people would have been secretly exposed to possible identity theft, and we’ll be still living with the idea that the Megacorporations are responsibly handling our information. Which they obviously aren’t! And even if they try to hide it, sooner or later a victim will starting digging in, and the story ends up in mainstream news. Privacyrights.org have taken the time and effort to compile a "A Chronology of Data Breaches Reported Since the ChoicePoint Incident", and as you can see, it's not getting any better, though, reporting and legislations have the potential to change a lot.

At the bottom line, I am a firm believer that, reporting breaches greatly improves the accuracy of security metrics, and hopefully the solutions themselves. Security through obscurity is simply out of question when it comes to storing unencrypted databases online, or even distributing them offline, though, it’s still obviously very popular today.

What do you think? Are the long-term negative PR effects worth the uninterrupted business continuity as a whole? Are you comfortable with not knowing how exactly is any of the organizations possessing sensitive info on you, is taking care to secure it? I'm not!

As well as various other comments on the topic :

Information Security Breaches and the Threat to Consumers
Security Breaches : Notification, Treatment, and Prevention
Recommended Practices on Notification of Security Breach Involving Personal Information
What Does a Computer Security Breach Really Cost?

Technorati tags :
information security,security,security breach,id theft

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com