August 8, 2010 at 8:08 pm
Comments posted to this topic are about the item Security Disclosure
August 9, 2010 at 4:21 am
Ah yes, full disclosure on the Honour System. Like Union Carbide, and Exxon, and BP, and...you get the idea.
Au contraire, there aren't ENOUGH rules regarding privacy and security - nor are the existing rules enforced enough. Penalties for data breaches should be heavily punitive. For example, in Australia you can be fined up to $1.1 million per day for breaching spam laws. As a result, companies care very much about their spam compliance. Only when you gouge profits (or threaten to do it), will organisations really take notice of their sloppy data security practices and do something to fix them. Kick 'em where it really hurts. And then kick 'em again so they remember.
James Stover, McDBA
August 9, 2010 at 6:04 am
James,
So you suggest having very hefty penalties for any data breach in order to solve the problem? Wouldn't that strongly encourage corporations experiencing such a breach to keep it secret, therefore only making it worse?
August 9, 2010 at 7:11 am
This is getting to the disastrous legal concept of 'zero tolerance' which causes all sorts of unintended side effects simply because of the loss of judgement and proportionality. Not all breaches are equal. Some cause only minor problems, some cause embarrassment to the company, many are uncertain if a breech even occurred at all (a possible break-in, with possible exposure of a database, for example or has user X been collecting data encountered during his daily job.. no one knows). Going with extreme regulation will only encourage data holders to 'not look too closely' to discover leaks (at least not publicly). Regulations are not free, enforcement costs tax dollars, complying with them costs business dollars... complying with them becomes a double taxation. (And who watches the government, with the largest, most sensitive databases and a very poor record of control ... Wikileaks, anyone?)
The complexity of protecting even low damage data could simply make it impractical to use, eliminating otherwise useful business services.
Breaches will NEVER be completely eliminated (just as embezzlement has never been completely eliminated, despite centuries of banking experience). We need to think more about the traffic safety model. We would love to see highway crashes eliminated, but without reducing everyone to 5 mph. So we work first to keep people obeying sensible regulations, but we also have highly effective ambulance services and ERs, as well as insurance to better handle the inevitable.
What we need is to incorporate efficient legal ways of protecting people and businesses from the effects of data loss such as fast handling of card re-issues, clear and easy to use credit rating correction, and protection (legal and financial) from the effects of others actions.
...
-- FORTRAN manual for Xerox Computers --
August 9, 2010 at 7:18 am
As always, the devil is in the details.
First, who's going to be subject to the regulations? Is it only for "large" companies? Or everyone? If everyone, then *everyone* will have to have SOX/HIPPA level security, right? Single proprieterships with intrusion detection, make *everyone* a security expert?
Clearly that won't work. So where do you draw the line? Even mom-and-pop shops keep "personally identifiable" information about their customers. Address, for example. Purchase histories. Which might be embarassing if they're a bookstore, hmm?
Sounds good, but unfortuntely it's not only impractical it's impossible. First of all as I said is the size issue. Second, you have to know about the intrusion, which means you have to be expert in security--which means you have to have someone expert in security who isn't a crook. Or nuts. San Franscisco learned that lesson. 🙂
The problem is there's too much complexity. And that's a hard problem, probably an unsolvable problem. So in the end we're basically screwed with the status quo. Harden one target and the bad guys move to a softer one. It's impossible to harden everything.
Of course, suggesting my own impractical suggestion, when we catch some of these criminals, public execution would halt repeat offenses... Given the nature of criminals it probably wouldn't offer a detterent, but eventually we'd solve the problem--by running out of criminals...
August 9, 2010 at 8:05 am
We'll never stop all leaks/breaches.
We'll never have perfect security.
We'll never run out of criminals. Sad, but as there are fewer of them, the stakes go up, more people become criminals, or gamble on a quick score.
I don't think we ought to have more regulation, but just disclosure. I'm not sure fines do it, though maybe we do have stiff penalties and just disclose everything. If you know about it (another tricky issue), you disclose it. Big, small, call it what it is. If everyone discloses the issues, we'll have more information for better security issues, and the small issues won't be as big a deal from a PR perspective if everyone releases details.
August 9, 2010 at 8:33 am
Steve Jones - Editor (8/9/2010)
We'll never stop all leaks/breaches.We'll never have perfect security.
..I don't think we ought to have more regulation, but just disclosure. I'm not sure fines do it, though maybe we do have stiff penalties and just disclose everything. ...
There are some problems with this idea. Typically, people are legally (criminally or civilly) punished (fines etc) for engaging in criminal activities. Here, however, they are being punished for being outsmarted by criminals. Can you imagine being charged with being the the victim of a crime or theft? That turns things upside down.
There is some precedent in things like fire safety etc, where companies are required to meet safety standards, but in those cases the known standards are plainly spelled out, and anyone can see if they are meeting the legal requirements. Since there are infinite numbers of breaches possible and very clever people both inside and outside the company are powerfully motivated to defeat any protections, being outsmarted should hardly be a criminal act.
Massive disclosure would be of little help either. Aside from the fact that massive disclosures simply bury huge amounts of information in obscurity, there is usually no way to even ascertain what the effects, if any, are of any particular breach. On the other hand I can easily imagine the equivalent of 'ambulance chasing' lawyers just searching for class actions to initiate even without any evidence of actual significant harm occurring.
The US military, with all its years of experience in secrecy managed to be breached 90,000 sensitive documents recently. Do you really expect that small businesses can possibly not experience some breaches? The alternative would be to make it so dangerous to do business that entrepreneurial startups are destroyed.
...
-- FORTRAN manual for Xerox Computers --
August 9, 2010 at 8:35 am
Steve Jones - Editor (8/9/2010)
We'll never stop all leaks/breaches.We'll never have perfect security.
We'll never run out of criminals. Sad, but as there are fewer of them, the stakes go up, more people become criminals, or gamble on a quick score.
I don't think we ought to have more regulation, but just disclosure. I'm not sure fines do it, though maybe we do have stiff penalties and just disclose everything. If you know about it (another tricky issue), you disclose it.
I lean on the side of disclosure about leaked data. I tend to agree that despite the efforts, there will continue to be breaches (social networking is a preferred method for stealing/gaining information from a hackers point of view).
I think there needs to be disclosure but not on everything. Part of a good defense may include a honeypot. You could easily include a database in the honeypot. If the honeypot is breached, I don't think disclosure is needed.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
August 9, 2010 at 8:41 am
A lot depends on what constitutes a "breach". In some orgs and for some kinds of private data, an employee from the wrong dept looking at a screen would be considered a breach. But most companies tend not to report such matters and consider those "internal".
August 9, 2010 at 11:04 am
First defense against a data breach: Don't have the data in the first place.
This would be trivial if, for the past years, companies had only kept data absolutely necessary to running the core business. As many have a habit of keeping more data than is absolutely necessary, breaking the habit is hard... but is often cheaper than rigorous security. Many 'desired' actions can no longer be done; but that data, too, can no longer be lost (assuming proper purging of all copies).
I say: keep only exactly what you need, and secure it properly. It's expensive... and more importantly, your customers will complain ('What, I can't have my username and password both be <something trivial>? That's annoying!').
August 9, 2010 at 3:39 pm
How you feel about this may be related to whether you feel the current recession is largely due to government bungling or lightly regulated corporations and traders. Lots of opinions on both sides of that one.
I think the downsides of regulations and their enforcement has less chance of bankrupting companies than the risks to the public at large by having little or no regulation. Some make it through major downturns relatively unscathed or even profit from them. I don't think we can say that for the average citizen/employee.
August 9, 2010 at 4:49 pm
Jonathan Melo (8/9/2010)
James,So you suggest having very hefty penalties for any data breach in order to solve the problem? Wouldn't that strongly encourage corporations experiencing such a breach to keep it secret, therefore only making it worse?
Sure...for those businesses that are going to flout the law anyway. For those who adhere to the rules, it gives them proper incentive (and justification) to spend the money & time preventing data breaches. I see heavy penalties as a method to discourage unwanted behaviour and to remove serial offenders from the gene pool. I agree that you won't stop every breach, but we can put an end to sloppy practices. To me, it's no different than imposing heavy fines for dangerous driving (e.g. speeding).
James Stover, McDBA
August 10, 2010 at 6:41 am
James Stover (8/9/2010)
Sure...for those businesses that are going to flout the law anyway. For those who adhere to the rules, it gives them proper incentive (and justification) to spend the money & time preventing data breaches. I see heavy penalties as a method to discourage unwanted behaviour and to remove serial offenders from the gene pool. I agree that you won't stop every breach, but we can put an end to sloppy practices. To me, it's no different than imposing heavy fines for dangerous driving (e.g. speeding).
It all sounds so clean and simple, but in practice it's not. The any breach concept ignores the fact that, especially considering inside jobs, every site is potentially vulnerable regardless of how well they manage their systems. Just following 'good practices' is not enough.
It ignores also the fact that the vast majority of businesses, especially small ones, are simply not in the business of security, nor can they afford a high end security person (there are far fewer security people available) and plenty of hackers are far more skilled and motivated than the typical security person. If you raise the risk of doing business too high, you kill all our future economic development, only corporations with deep resouces will be able to compete (I'm sure the Fortune 500 would love that). Small business must not be expected to have a crack security team on 24/7 watch.
Of course businesses have to deal with risk, and the normal method is insurance, but insurance rarely if ever covers fines. If someone hurts themselves on your property or with your product, you can get insurance. If a thief steals money or equipment you can get insurance. If a criminal breaks into your system under rules like that, you are financially and legally screwed.
Data loss is a serious problem, and civil liability for actual harm is one potential avenue (it would also make insurance possible) but we must get off the mindset of trying to deal with it by stricter and stricter controls. What we need are changes in the law that enable consumers to protect themselves from the effects of information leakage regardless of the source. Every security measure will fail at one time or another. We've got to deal with that fact.
And as I noted earlier, if the government, including the military, cannot keep data secure (hundreds of breaches in the past few years), how would you expect them to provide security through regulations.
...
-- FORTRAN manual for Xerox Computers --
August 10, 2010 at 4:22 pm
Data security guidance must be the first step to analysing whether a company has taken the necessary steps in making there are no security breaches. If companies has failed to follow the guidance then someone has to pay. Again if the company fails to follow the recommendations after the breach then there must be a stiffer penalty.
The difficulty is defining the guidance especially when one starts working with a third party company especially when the company is relatively small and it's staff has little or no appreciation of the implications of data breaches.
August 10, 2010 at 6:17 pm
jay holovacs (8/10/2010)
James Stover (8/9/2010)
Sure...for those businesses that are going to flout the law anyway. For those who adhere to the rules, it gives them proper incentive (and justification) to spend the money & time preventing data breaches. I see heavy penalties as a method to discourage unwanted behaviour and to remove serial offenders from the gene pool. I agree that you won't stop every breach, but we can put an end to sloppy practices. To me, it's no different than imposing heavy fines for dangerous driving (e.g. speeding).
It all sounds so clean and simple, but in practice it's not. The any breach concept ignores the fact that, especially considering inside jobs, every site is potentially vulnerable regardless of how well they manage their systems. Just following 'good practices' is not enough.
It ignores also the fact that the vast majority of businesses, especially small ones, are simply not in the business of security, nor can they afford a high end security person (there are far fewer security people available) and plenty of hackers are far more skilled and motivated than the typical security person. If you raise the risk of doing business too high, you kill all our future economic development, only corporations with deep resouces will be able to compete (I'm sure the Fortune 500 would love that). Small business must not be expected to have a crack security team on 24/7 watch.
Of course businesses have to deal with risk, and the normal method is insurance, but insurance rarely if ever covers fines. If someone hurts themselves on your property or with your product, you can get insurance. If a thief steals money or equipment you can get insurance. If a criminal breaks into your system under rules like that, you are financially and legally screwed.
Data loss is a serious problem, and civil liability for actual harm is one potential avenue (it would also make insurance possible) but we must get off the mindset of trying to deal with it by stricter and stricter controls. What we need are changes in the law that enable consumers to protect themselves from the effects of information leakage regardless of the source. Every security measure will fail at one time or another. We've got to deal with that fact.
And as I noted earlier, if the government, including the military, cannot keep data secure (hundreds of breaches in the past few years), how would you expect them to provide security through regulations.
I only partially agree with your comments.
First, small businesses should not be exempt from the rules, nor the penalties. I do agree that the penalty should be appropriate to the size of the business. However, I don't believe a small business needs a crack security team 24/7 to meet their security needs. That's just typical small biz scare tactic.
Second, there are dozens of reasons why governments consistently fail with their data security. Probably the biggest reason is complexity. I don't expect them to keep data secure through regulation. I expect them to keep less personal information stored in their repository, thus reducing their security requirement.
Third, if you have a security protocol that has met established requirements and you are breached then you have done your "due diligence" and your liability should be limited. My goal is to punish the serial offenders and discourage the would-be offenders.
Lastly, I absolutely agree that consumers need more protection. A good start is to discourage sloppy practice - this is why we need strict controls (I'd like to see Facebook jump through that flaming hoop). Further, I do agree that consumers need more protection when their data is compromised. Unfortunately, I don't have a solution but if it were possible, I would like the ability to license my personal data and revoke access - at my leisure - from EVERYONE who has it. In that way, only I own my data and nobody else.
James Stover, McDBA
Viewing 15 posts - 1 through 15 (of 17 total)
You must be logged in to reply to this topic. Login to reply