« Verizon Thinks You'll Evolve | Main | Forrester's 2010 security predictions »
Security Breaches: The Victim Will Get Blamed, and Worse
By Barbara Rogan, LogLogic General CounselBlame the victim. This was a common defense in sexual assault cases I helped prosecute when I worked as prosecutor. Unfortunately this mentality applies not just to rape cases, but also to companies where critical data has been breached – even when the criminals are the ones stealing the data.
One of the biggest data breaches in recorded history hit Heartland Payment. This is a bona fide case of the bad guys attacking networks and compromising critical data. In Heartland Payment’s case, the data breach wasn’t found for many months and Heartland Payments has no idea of how many credit card numbers were jeopardized. Potentially millions of credit card numbers, but no one knows for sure (or at least they are not saying so publicly). To deal with the publicity and legal fall out, Heartland established a website (www.2008breach.com) to deal with the breach. The bad guys were caught pretty quickly after the breach was discovered (see: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=214303553) and they have already pleaded guilty (see: http://news.cnet.com/8301-27080_3-10423008-245.html).
But the fact that the bad guys were brought to justice did
not exonerate Heartland . Just this last month, Heartland
Payments paid a settlement to American Express of $3.5 million for damages
associated with the breach. Amex apparently was the smaller of the three
settlements Heartland will have to pay as they still have not settled with Visa
or MasterCard yet.
Okay, so Heartland is a big company, but smaller businesses have been hit with law suits for failing to protect data. RockYou, a Facebook app, was recently sued in San Francisco in a class action lawsuit (see: http://news.cnet.com/8301-1009_3-10423042-83.html). Again it was certified bad guys stealing the data. But because RockYou didn’t take reasonable security precautions to protect that data, they are now facing a very expensive suit and all the negative publicly that that entails. I am sure that RockYou didn’t want to get profiled by CNET for this reason.
Beyond the civil suits, there is the potential of criminal action. Just ask HealthNet and Wentworth-Douglass Hospital. Both companies have suffered data breaches that have resulted in investigations of by their state’s attorney general office (See here and here).
The bottom line is that no company should expect sympathy if data in their care gets breached. Consumers, plaintiffs, and regulatory agencies are just as likely to blame your company as they are the bad guys. You’re the victim of the data theft, but unless your company has taken all the available precautions it can, you’ll also be viewed as one of the “bad guys”
Shameless plug section: So how does this relate to LogLogic? One way to make sure you have taken all proper precautions is have complete visibility into the events in your system. It all starts with Log Management, and for visibility and control over your security environment, our Security Event Management. Check them out for more information.Posted January 07, 2010 in Legal Nerd , Log Management & Intelligence , Security | Permalink
August 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
Categories
Archives
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper