Shostack + Friends Blog Archive


On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes:

I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud or other crime, I’m not sure that I agree with mandatory disclosure. That data, while useful to the awareness of security provides information that cannot be made transparent to an entity’s competitors, i.e. the availability of this data may provide for means of advantage in key markets based on the data “surrounding” the security data. I’m a proponent of mandatory disclosure of “lost data”, but I just think that this topic needs a great deal more discussion.

I admit, I have been using “mandatory disclosure” in a somewhat slippery way. The mandatory disclosure of a loss of confidentiality of personal information, such as is mandated by California’s SB 1386, and a host of other laws, and emerging new custom and expectation. I also use it in a somewhat tongue in cheek way to refer to the benefits that mandatory disclosure is bringing, despite the discomfort involved in the transition.

Beyond that, I note the utter paucity of good information about security breaches. This paucity hurts us deeply as a profession, as we talk about how über-hackers tromp undetected through networks. Compare and contrast the quality of data we have about computer security incidents to the quality of data about burglaries. Should we mandate disclosure of these things? We mandate lots of disclosure under laws like SarBox. Its not clear if it does much good for the expense it entails.

There is, of course, the whole bloody “debate” over disclosure of vulnerabilities in software. Like all right-minded people, I believe in full disclosure and only practice it when left no choice.

As to the concern that competitors may start jumping on a lack of security as a way to poach customers, I can’t see that as justification for allowing a company to mislead the public. We demand lots of disclosures from companies, especially around the reporting of crimes. Why should online crime be different?