Re: financial loss estimates?

[Jeffrey Walton <noloader () gmail com>]

On Wed, Oct 5, 2011 at 3:54 PM, Mikhail A. Utin
<mutin () commonwealthcare org> wrote:
> My ten cents: do not forget various laws and regulations,
"Forty-six states, the District of Columbia, Puerto Rico and the
Virgin Islands have enacted legislation requiring notification of
security breaches involving personal information",
http://www.ncsl.org/default.aspx?tabid=13489.

> from federal like SOX
> and to Massachusetts 201 CMR 17.00.
If you read SOX, HIPPA, and friends carefully, you will find its a
license to give away your PII and financial information (seriously!).
I never agree to or sign HIPPA, 'Patient Rights,' or whatever they
call it. Don't believe the BS.

> When it comes to authorities, impact of an audit could vary from almost nothing to very significant.
> Plus, legal litigation. While TJX or a bank can afford all following and will survive, small fish will die.
Don't worry about class actions just yet. When is the last time you
heard a judge throw out a case because "there's no proof that the
thief who stole the money actually spent the money"? I've never seen a
class action relating to a data breach certified to date, and it has
happened for every data loss class action I am aware.

This is despite the fact that there are real, future risks associate
with a loss of PII, financial, or healthcare data. See, for example,
"After data loss, ID theft risk soars",
http://redtape.msnbc.msn.com/_news/2009/11/20/6345699-after-data-loss-id-theft-risk-soars

I've criticized a number of federal judges for their rulings, and even
been visited by the US Marshals for the criticism (last was Judge
Buckles for his Amburgy v. Express Scripts, Inc. ruling).

[Sorry to stray off topic].

Jeff

> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adam Pal
> Sent: Wednesday, October 05, 2011 3:24 PM
> To: fire0088 () fmail com
> Cc: security-basics () securityfocus com
> Subject: Re: financial loss estimates?
>
> Hello Fire0088,
>
>
> Personaly i consider this task being dificult up to impossible. Why?
> Because companies does not like to list/share such kind of impacts as it would lead to increase the financial damage.
> I use to consider 2 factors when i talk about impacts you named
> bellow:
> - the financial impact of the incident itself (costs for change bank accounts, exchange credit cards, inform 
> employees, etc)
> - the financial impact caused to the image of the company
>
> The first one is calculable while the 2nd one ist not, having a good PR could save you but depending on the 
> propagation it could be critical for your company.
>
>
> --
> Best regards,
>  Adam Pal
>
> Wednesday, October 5, 2011, 4:05:16 AM, you wrote:
>
> <==============Original message text===============
> ffc> I'd like some of the findings I've reported to be converted into a
> ffc> more manager friendly metric (there are three things a manager
> ffc> focuses on: moving up the corporate ladder, pretty charts and money).
>
> ffc> Are there industry standard rates, or case studies on the true cost
> ffc> to a business for a data breach?
>
> ffc> Specifically, i'm looking for the impact from a data breach
> ffc> involving financial information (bank accounts, loan info, credit
> ffc> card numbers, ect), social security numbers, and employee IDs.
>
> ffc> Thanks
>
> ffc> -------------------------------------------------------------------
> ffc> ----- Securing Apache Web Server with thawte Digital Certificate In
> ffc> this guide we examine the importance of Apache-SSL and who needs an
> ffc> SSL certificate.  We look at how SSL works, how it benefits your
> ffc> company and how your customers can tell if a site is secure. You
> ffc> will find out how to test, purchase, install and use a thawte
> ffc> Digital Certificate on your Apache web server.
> ffc> Throughout, best practices for set-up are highlighted to help you
> ffc> ensure efficient ongoing management of your encryption keys and digital certificates.
>
> ffc> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6
> ffc> be442f727d1
> ffc> -------------------------------------------------------------------
> ffc> -----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------