Thursday, October 8, 2009

Hannaford case reversal

Some interesting developments for those who have been following the rulings in the Hannaford breach case - the judge had ruled that since cardholders were not affected economically because credit cards were stolen (banks will cover any losses to cardholders), they dont have a civil case against Hannaford.

However, the judge recently reversed himself and asked the Maine supreme court whether "inconvenience" that the cardholders went through should be compensated... Interesting fork and one that could have strong impact to the retailers if the Maine Supreme Court indeed thinks so..

The bottom line is whether retailers should take more care of data entrusted to them - while the judge had a very narrow view of "loss" to the consumer, the defense believes that they have a shot in making cardholder rights heard...

Should be interesting to see the developments..

Monday, October 5, 2009

One million dollars!

As an award that is... Express Scripts has reportedly put up $1M to anyone who can provide information leading to the arrest of those responsible. Apparently the thieves wanted to get the most from the stolen data - sell it to the highest bidder or extort Express Scripts to keep it safe!

Looks like extortion is the new black- from talk show hosts to stolen data! Be interesting to see where this takes the industry. But my question is - is this extortion because the criminals do not have a market demand for the stolen data? If it has a ready market, why bother with extortion?

Thursday, October 1, 2009

Josh Corman at IANS

Just attended an interesting keynote by Josh Corman at the IANS event in Boston this morning. Very though-provoking stuff - he also has an article about it in CIO magazine.

Being a good marketer, Josh trimmed down the 8 secrets to 7 (but wait!, one was free and he counted from zero, so we are back to 8 :)). I had previously discussed one of his takes in this blog.

The interesting part about listening to the discussion live, is Josh's emphasis on risk. He believes that we as security professionals have been so caught up with managing around compliance mandates, we have not stepped back to think about what risk we are mitigating.

Excellent point - especially when it relates to projects on hand. Would you do disk encryption based on the knowledge that 31% of all breach incidents are the result of lost and stolen laptops? Of course you would. However, would you rethink your decision if you also know that these lost laptops account for only 9% of all data lost? Hmmm does FDE only reduce risk by 9%?

That begs the question, what else reduces risk by a larger percentage? Interesting topic and subject for another post....