A few years ago in my son’s T-Ball, there was “that” parent who had “that” kid. The kid was constantly disobedient, and the parent was constantly shouting at them, making threats. Threats like, “If you do that again I’ll pull you off the field and take you right home!” Any parent out there can tell you exactly what this kid did right after those threats were made - they repeated the action that warranted the threat.
Alan Shimel gets with the program here. Same topic we’ve discussed before, I know, but especially now that there are “laws” around PCI (cringe) it’s worth repeating. I’ll let him do so in his own words:
Clearly, ChoicePoint can make a business decision that the risk of paying the 15 million versus what it would cost to prevent this is not worth it. Other then the fines, companies embroiled in these data losses don’t seem to suffer any further damage to reputation or the bottom line. Until we make the repercussions meaningful enough, we will continue to see these type of data losses. Its nothing personal, its strictly business. Risk management at work.
Risk analysis not risk management, really, but who are we to nitpick? 
FAIR analysis after FAIR analysis makes it clear. Probable Loss Magnitudes, in general, are aggravated by a significant factor due to Fines/Judgment losses. PLMs in the tens of thousands are now greater than half a million because of compliance. But even a few (tens of ) million(s) in fines to multi billion dollar a year company *cough* TJX *cough* are not discipline, they are more of the same “I’ll pull this car over if you don’t stop hassling your brother” threats.
If you really want to smack them around - compulsory Consumer-led Class Action Lawsuits - ones where the company has to hand over every possible name associated with the breach, pay the cost of sending notification to those individuals (so that they can be aware of their right to sue), and then an egregious amount per individual as a “floor” (say, a grand or two per person to make up for the cost and effort of repairing potential identity theft).
If you want a threat that will cause action, it’s the demonstrable, repeatable and consistent expectation of legal proceedings with severe penalties.
But I’m not convinced that penalizing companies because of breaches is the way to fix “the problem”.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)June 02, 2007, 9:29am Comments
