Drip, Drip, Drip: The Statistical “Certainty” of Data Leaks

You may also like...

3 Responses

  1. Another great note on the inadequacy of the current legal and enforcement regime with respect to both privacy and data security. I have said in the past that “Data is the new Asbestos” … the only way to make sure that entities properly handle the information is a combination of regulation, oversight, and private right of action. It simply will not be cleaned up by the current courses of action.

    I am hardly a proponent of the lawyers class action bar. But…for once for me…I think there is a real consumer protection benefit to turning the lawyers loose on this.

  2. Hi Danielle,

    Andrew Stewart and I have argued that a missing ingredient in what firms can do about security breaches is an understanding of what went wrong for others. For example, you mention Lockheed Martin. Do you know what their security measures were? Do you know which ones failed?

    Absent such knowledge, we’re unable to determine if “giving employees better training” will actually pay off. We don’t understand if blocking Facebook at work has an impact on breaches. Regarding the Ponemon Institute survey you cite, I frankly don’t believe it’s is an accurate portrayal of the underlying reality it attempts to illuminate. New School co-blogger Russell Thomas and I have done analysis of their other reports, and found them seriously flawed. (I can send you links, but worry that ConOp’s anti-spam will eat my comment if I put them here.) Also, see Cormac Herley & Dinei Florencio’s “Sex, Lies and Cybercrime Surveys” which I think is very relevant.

    So today, I’m opposed to strict liability, because as a security professional, I can’t say with great certainly what actions would really reduce my organizations risk. I apply my best professional judgement, and am aware of the limits under which I form up those judgements.

    I do believe that more disclosure, and thus more information, will help us better understand what’s going wrong and learn to better address it.


  3. That’s really helpful insights, Adam, and will check out the cites. Thanks for reading and commenting. Same with Anthony. I appreciate the input.