Which would you rather have:
a. five separate lost laptops with an average of 20,000 personally identifiable information (PII) records on them, or
b. one server compromise of 100,000 PII records
How about if I change it to this:
a. five separate lost laptops with an average of 20,000 personally identifiable information (PII) records on them, or
b. one server compromise of 200,000 PII records
In other words, how do you equate the number of incidents and the number of lost records?
Most evidence points to laptops being stolen for their physical hardware. Most cases of server compromise were by higher level criminals looking for data or at least capable of understanding what they have stolen.
Its not that I want laptops stolen, but they are a smaller risk from the data exposure standpoint based on who usually perpetrates the crime.
@Andy -
Great point and well worth considering. Would you factor in the fact that after the data has been compromised the risk is transferred to users? or do you believe there would be a higher level of legal liability?
Pete
Definitely depends on whether you are trying to minimize disclosure costs or try to contain PR damage and class action settlements. Clearly 5 separate lost PC events (assuming all 5 are lost separately), requires 5 different disclosures and ensures that management are considered boobs for not dealing with the issue the first 4 times.
Obviously the downside with a server compromise is the bigger number and possible class action liabilities (though I guess those would be there for the 5 laptop incidents as well).
So if the security folks are trying to save their jobs, they should opt for the server compromise. If they are worried about potential damage from lost information, then the laptop thefts are less damaging.
About as clear as mud, eh?
Mike.
http://www.pragmaticcso.com
It isn’t clear that the liability is transferred to users depending on the type of data stolen. This is one reason I’m not quite so worked up about heartland at least in terms of privacy, etc. End users will bear almost none of the costs of that breach I’d expect, while heartland and the banks/card-issuers will have to spend a lot.
So, I guess to a large extent it depends on what kind of data is stolen. In your scenario you didn’t indicate whether the data comes under required breach notification laws. It is is “just PII” such as name, address, email, phone then at lest according the SB1386 the company wouldn’t have to tell anyone. Only if the data also included things such as CC#, bank data, etc. would they have to disclose.
Can you clarify the scenario you had in mind?
@Andy -
I was thinking of SSNs but really any info where notification is a possibility. I also considered making things more complex by differentiating between SSNs and CC#.
Perhaps it is easier just to assume that it is the same information in each scenario pair – I think then it could be held constant.
Pete
Thanks Pete. In this case I have to agree a little more with Mike’s analysis. That said, have we seen any successful class action against someone for a data breach?
@Andy -
I don’t know of any successful lawsuits in this arena. Here is one note I wrote a while back about that: http://spiresecurity.typepad.com/spire_security_viewpoint/2007/03/tjx_lawsuits_45.html
Pete