The Penalty for a Data Breach

  • Comments posted to this topic are about the item The Penalty for a Data Breach

  • I've learned so much about security over the past year and I've come out of it frightened.

    Users, Groups, Roles and LDAP integration is the warm up before the 1st cup of coffee on the 1st day.

    If developers think DBAs give them a hard time wait until they meet a security specialist! If you did everything possible to secure your data you would slow your organisation down to a crawl, massively increase your infrastructure and need to increase your staff

    From what I have seen when security needs are king there is considerable impact on the physical data model.

    In general I am as ambivalent about ORMs. When used correctly they can enhance productivity and not cause irreconcilable problems for DBAs. Where security is king ORMs offer too great an attack surface area for the security guys to sign off.

    The fact remains that the biggest risk is the human element. Those with legitimate access are the threat. No point having multi layer security, network segregation, encryption with more bits than a drill factory if some numpty in marketing puts it all in a spreadsheet and emails it out as an unprotected attachment.

    In the end it has to boil down to a risk based approach or the expense is as crippling as the reduction in delivery speed

  • 15 years back I spent only a fraction of my work time on security related tasks. I can at least count the time spent in percentages today. But to be compliant with all standards and regulations my company wants to adhere to, the amount of time I and my colleagues works with security have to be further increased by a huge amount.

  • I never really thought about who pays for a data breach. I assumed the company did, but your article Steve shows me its likely the insurance company that insures the company that had the data breach. Hmm. Somehow that defeats the purpose, at least in my mind. If Company X had some of my personal data and they had a breach I've always been under the (apparently delusion) that they "would pay" for their negligence. I guess not.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • Having performed audits of medical insurance companies I have found that most do not implement encryption. Why should they? The cost outweighs the possible penalties. Only when forced will companies act in the best interest of their customers.

  • I'm not sure if legal procecution is appropriate, unless it can be proven that executive management were grossly negligent or perhaps a rogue employee implemented or helped facilitate the data breach. However, maybe it would make sense to look at data breaches the same way we look at environmental pollution; that is to say that a corporation (or individual) negligently allowed data to be leaked as a result of failure to perform due dilligence or deliberate criminal activity.

    We may want to inact legislation that requires corporations to purchase insurance to cover this potential loss. The insurance industry could then set rates based on the riskyness of the corporation's business model regarding what type of data they hold, how compliant they are with best practices, and their history of past losses. If a corporation does something really stupid, then the cost of acquiring insurance coverage may be so high that it puts them out of business. This combination of governmental and industry regulation has proven effective for other industries.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I think this editorial seems a bit confused, data loss is just one sort of data breach, revealing secret or confidential data is another very different kind of data breach. It seems to say that for data loss there are minor penalties and a requirement to fund credit monitoring - but that is clearly a consequence of the other form of data breach, data exposure, and is absolutely nothing to do with data loss.

    Malicious attempts to cause data loss seem to be far fewer than attempts to expose confidential or secret data, and in Europe data exposure can attract severe penalties from regulators, although in the USA the penalties for data exposure occur only in the finance business and are much less severe than in Europe.

    The rules for protecting data against exposure in the USA are extremely weak, and it is clear that the government wants them not to apply in the case of what would in Europe be improper exposure of data to a government organisation or improper use of data by a government organisation - where government organisation appears to be so loosely defined that it includes every local police force - and as a result the head data protection official in europe very recently stated that the latest safe-harbor replacement proposals are unacceptable because they provide no protection against misuse of data and no viable enforcement mechanism for what little data protection they do provide. The USA government's insistence that it can require American-owned companies to break the laws of the countries they operate in and ignore the decisions of the courts in those countries certainly doesn't help!

    Any serious discussion of data breach and related penalties needs to consider the dispute between the American tyranny (and it certanly is a tyranny in regard to data access) and the European breaucracy. the UK government's attitude to this (try to brush it under the carpet and pretend it doesn't matter) doesn't help one bit, and confusing data loss with data exposure doesn't help either.

    Tom

  • Rod at work (6/13/2016)


    I never really thought about who pays for a data breach. I assumed the company did, but your article Steve shows me its likely the insurance company that insures the company that had the data breach. Hmm. Somehow that defeats the purpose, at least in my mind. If Company X had some of my personal data and they had a breach I've always been under the (apparently delusion) that they "would pay" for their negligence. I guess not.

    I'm fine with insurance companies paying. Insurance companies drive a lot of changes, including safety ones, because they don't want to pay. They require better conditions, products, etc. before they write a policy.

  • What do they owe you? A hell of a lot more than anyone gets today! My understanding is that fines go to the government, not the people suffering harm. The fines are minimal. This needs to change so that companies find it cheaper to secure data than to pay the fines.

    Additionally, we need new laws restricting what companies can save. There is no need for them to save my information with rare exception. Does Walmart, Target, BestBuy or Amazon need my entire life history to do business? NO! Now if I opt in (which we never have the choice of doing, we can only opt out), then that means I am OK with what I am sharing. Still even in those cases they should not be allowed to save data they do not need.

    The courts have decided that my data is not my data, it is the corporation's data, which is entirely BS!

    If companies were legally prevented from storing so much data, breaches would not be as prevalent nor as damaging. Then we could focus on data that is required. A doctor needs to know your insurance company, but almost all of them still require your social security number even though they are legally prevented from using that. Lot's of companies, Mark Z's for example, are mining data about us even when we are not using their web site. This has always been an issue, but it is getting ridiculously insane.

    If our politicians on both sides of the aisle actually cared about the people they represent, instead of their campaign contributions from Wall Street, we could fix this. Any bets on that happening?

    Dave

  • djackson 22568 (6/13/2016)


    If our politicians on both sides of the aisle actually cared about the people they represent, instead of their campaign contributions from Wall Street, we could fix this. Any bets on that happening?

    I would bet against it ever happening in the USA unless some big changes happen in the society. After all, why should the plutarchs who control the system allow it to be changed in a way that transfers any benefit (whether monetary, social, or anything else) from ?? ????? to ?? p??????

    Tom

  • Having worked at a company who are supposed 'industry experts' in data security, I can tell you it is no better behind closed doors at such places. PCI audits were laughable; weak auditors accepting straight yes or no answers with no explanations, or at best 'very carefully selected' evidence to suit whichever scenario as proof of controls and measures in place. The main problem as I saw it is the auditors have zero knowledge of the hardware/software they're auditing and in most cases aren't allowed to actually see any systems due to data protection wheeled out as an excuse... :blink:

  • Rod at work (6/13/2016)


    I never really thought about who pays for a data breach. I assumed the company did, but your article Steve shows me its likely the insurance company that insures the company that had the data breach. Hmm. Somehow that defeats the purpose, at least in my mind. If Company X had some of my personal data and they had a breach I've always been under the (apparently delusion) that they "would pay" for their negligence. I guess not.

    In the UK, a data breech can cost you up to £500k per breech from the regulator. This is outside any other (civil for example or industry specific) possible penalties.

    Where I work, it's in our standard terms and conditions that a vendor indemnifies us if the breech is in their product - how many of our vendors could sustain a £500k hit is another matter. Even if they do carry insurance, though, there will be clauses in the insurance (there most certainly was in my contractor indemnity) holding the company to good practice. So if you're using dbo (let alone sa) for all your user access, using passwords like MyComp@any as static application (or admin) logins or manifestly failing to follow things like CESG guidelines or standards (in the UK) or get hit by SQL injection, you're probably going to find any insurance isn't going to cover you.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

  • TheFault (6/15/2016)


    Having worked at a company who are supposed 'industry experts' in data security, I can tell you it is no better behind closed doors at such places. PCI audits were laughable; weak auditors accepting straight yes or no answers with no explanations, or at best 'very carefully selected' evidence to suit whichever scenario as proof of controls and measures in place. The main problem as I saw it is the auditors have zero knowledge of the hardware/software they're auditing and in most cases aren't allowed to actually see any systems due to data protection wheeled out as an excuse... :blink:

    Completely agree. I'd like to see auditor's findings be more transparent, and certainly, insurance companies requiring better security.

    Unfortunately, I think the PCI group and members are happy to allow a certain level of fraud because their profits allow for it.

  • Steve Jones - SSC Editor (6/15/2016)


    TheFault (6/15/2016)


    Having worked at a company who are supposed 'industry experts' in data security, I can tell you it is no better behind closed doors at such places. PCI audits were laughable; weak auditors accepting straight yes or no answers with no explanations, or at best 'very carefully selected' evidence to suit whichever scenario as proof of controls and measures in place. The main problem as I saw it is the auditors have zero knowledge of the hardware/software they're auditing and in most cases aren't allowed to actually see any systems due to data protection wheeled out as an excuse... :blink:

    Completely agree. I'd like to see auditor's findings be more transparent, and certainly, insurance companies requiring better security.

    Unfortunately, I think the PCI group and members are happy to allow a certain level of fraud because their profits allow for it.

    When consumers lack trust in a corporation's ability or intent to keep they're sensitive data private and secure, they become less likely to share it, and they'll even do things like providing fake data on a registration form when installing software or accessing a website's content. Ultimately it's not the sum total of data or data scientists that gives a coporporation the IT competitive advantage, but rather how well they cultivate a sense of trust with consumers.

    For example, I trust Microsoft with my personal data more than I would FaceBook or even Google. Microsoft is in the business of building great technology solutions and platforms for which they marketing directly to clients and consumers, and I respect that. In contrast, FaceBook and Google use technology as a tool for aggregating as much data as they possibly can, and they're primary business model is selling personalized data to 3rd parties; so for them I have less trust and respect.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I think that consumers feel powerless, politicians don't want to bite the hand that feeds, companies do the minimum to be compliant and that IT practitioners often have their hands tied.

    All in all, not a good scenario.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 15 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply