[BreachExchange] Data breaches: Playing by a new set of rules?

Mon Mar 20 19:17:53 EDT 2017

https://www.helpnetsecurity.com/2017/03/16/data-breaches-new-rules/

Tell me, what’s your response when you hear that a company that was
breached are now losing customers? I suppose it’s at this point the word
reasonable makes an appearance. Whether this is the regulator, or in fact
data subjects whose personal data is now being packaged and sold to
identity thieves.

The key question is whether the company who lost all that data took
reasonable measures to protect that data.

If the answer is no, well guess what? The regulator can come in and fine
your organization. In fact, it could get even worst because you will become
the victim of abnormal churn rate. You know that term to describe the
number of customers that will leave you because they just don’t trust you
anymore.

Within the last year we have seen examples where exactly that has happened,
for example on business who experienced a significant breach were reported
to have lost almost 100,000 customers. In the words of the regulator the
impacted company “should and could have done more to safeguard its customer
information“.

In many ways, this response is expected. The term reasonable is part of the
information security rulebook. We all recognise that there is no such thing
as 100% secure, so demonstrating that reasonable measures have taken place
should lessen the impact. The regulator will not impose a fine, the press
wont write about, social media will be kind because you are just the
unfortunate victim of a sophisticated/nation-state/zero-day attack, and oh
your customers will simply accept that there is no such thing as 100%
security and stay with you.

I suppose not all of the above will happen! But the impact should not be as
significant as a company that falls victim to say a SQL injection attack?
Well in the case of DynDNS I have to say that I felt that this company were
seriously hard done by. In case you missed it, as a result of them being
the victim of a major DDoS attack, it was reported that they lost 14,500
domains stopped using their service. Why? I mean if you are a customer
moving to another provider would they have done any better against the
Mirai botnet? This was a failing of the entire technology sector releasing
the spew of vulnerable devices that allowed this router-killing Mirai
botnet to disrupt Dyn.

This represents a frightening trend. In that it doesn’t matter what YOU do,
you will lose customers. The only question is whether the breach is
significant or interesting enough to garner enough attention that will
determine how many customers you lose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170320/e1f78f69/attachment.html>