Shostack + Friends Blog Archive


The Next PR Speciality?

Over at Presto Vivace, Alice suggests that “Security breaches and violations of privacy are going to be the next speciality in crisis communications.”

I suspect that she’s right, and hope she’s wrong. In cases like Cardsystems or Choicepoint, where the organization is violating policy, contract, or law with its data, the impact on the company should be enormous. In cases like BJ’s, where there’s no reason for the data to be collected, the PR firestorm is the cost of their business model. But in many of the cases, banks, universities, and hospitals have been compelled to collect data by Federal law, and they then overuse it, or treat it carelessly.

As information security companies, we need data from the hundreds of such cases that are taking place to learn more about how information security fails. The Department of Justice collects Crime and Victim Statistics; the FBI has Uniform Crime Reports. Such data allows folks like Adrian Holovaty to create sites like Chicago Crime and integrate the data with Google maps.

We have no such data sources for information security. The best we get is the Secret Service/CERT reports. I’m happy they’re doing them, Bruce Schneier isn’t.
And so, I’m in favor of more disclosure. Of the normalization of such disclosure. Because disclosure is essential to science. So lets hope those PR specialists do their best to normalize the events, so we can get over our shame (and bizarre insistence on companies having more privacy than people) and start improving.