Shostack + Friends Blog Archive


CSO Breach SOP == FUD?

Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business needs or risks. CSO says:

Looking further into the business impact of the post-breach processes, we quickly see that the way an organization reacts to the security breach can make the difference between a minor financial impact and a complete corporate meltdown.

and also:

The real costs in any security breach are in the long-term financial impact and productivity reduction, not the immediate remediation costs

Except, they don’t actually ever support the claim. They don’t provide a single example of a company being significantly hurt by a disclosure. I personally, can think of one, and that is CardSystems. In fact, from the Alessandro Acquisito et al paper, that Adam linked to earlier today, we learn the following which completely contradicts CSO Magazine:

Our event study shows that there exists an impact for privacy violations. This impact is significant and negative, although it is short-lived.

This supports the anecdotal evidence, such as the fact that Choicepoint is now trading at prices that are more or less the same as before all of its disclosure issues.
And while I’m complaining, enough with citing the 1982 Tylenol issues as a business case. There is a big difference between dealing with a privacy or data leak and people dying because your drugs have been poisoned. Surely, the editors could find a more recent example where a management team has handled a major issue well, such as the one at Facebook?

3 comments on "CSO Breach SOP == FUD?"

  • Sharon Besser says:

    A Gartner publication (Publication Date: 19 September 2006 ID Number: G00142771) that presented the ChoicePoint case study, is an interesting read and very related to this issue. Among other finding, they present the following:
    • It publicly reported specific expenses addressing the data breach incident totaling $27.3 million in 2005 and $1.8 million through 30 June 2006. Ongoing operational costs resulting from the changes the company made are now included in its normal cost structure.
    • In 2005, the company lost nearly $20 million in business because of its deliberate decision to stop doing business with customers whose credentials could not be thoroughly validated.
    • It became one of the most-audited companies in the U.S. in 2005: It underwent 43 third-party audits, five of which were SAS 70 audits of the company’s applications. In 2006, ChoicePoint expects to complete up to 30 audits, including a particularly grueling one required by the FTC.

  • Arthur says:

    Thanks for the heads up, I’ll check out the case study. For what it’s worth though from various public filings, here is a comparison of earnings from 2004-2006 from Choicepoint:
    2004 – 918.7 million
    2005 – 1.1 billion
    Q1 2005 – 259.3 million
    Q2 2005 – 227 million
    Q1 2006 – 269.9 million
    Q2 2006 – 240.8 million
    From this we can see that although Choicepoint seems to have taken a short term hit in their earnings, sales in fact went up in 2005 and so far are up again in 2006. And this from a company that pretty much did everything wrong in handling the incident. I’ll comment further after reading the Gartner report.

  • Sharon Besser says:

    According to Google finance, ChoicePoint’s net income is actually decreasing ( . We’ll see how they did this quarter, but it looks like their competitors are doing much better

Comments are closed.