Shostack + Friends Blog Archive


No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out:

You know data security breaches are way too common when a company builds a business around customer notification of stolen information.

and he ends:

I applaud companies that comply with notification requirements. It’s the right thing to do. But I’d think twice about doing business with a company that signed up for such a service. It gives the impression that a breach as inevitable, and they are just giving up.

I have two main responses: First and foremost, the emergent market for advice and management of these issues is a good thing. Companies need help, and they’re getting it. The costs of handling a breach will start to fall, because expertise in handling them will become available. (There’s also the interpretation that companies are investing in designing and marketing products indicates that they don’t expect breaches to be a flash in the pan.)

My second response is that I believe that many breaches are inevitable, because we don’t talk about what goes wrong, and we have no way to test much of the pablum suggested as “security best practices.”

2 comments on "No, Breach Notification Service is a Good Sign"

  • LonerVamp says:

    I think it is a fundamental part of security to live by the assumption that a breach or incident is inevitable. It might not be today, it might not be trivial, but it will happen.
    You are especially correct in saying this could be affected because we don’t talk about what goes wrong. It’s such an evil, evil topic that everyone outside our field desparately wants to remain hidden…and that info is the very stuff we’re desparate to have.
    Being both a person and also an IT guy, I still have no real problem with this notification service idea. Props to the founders for seeing an opportunity to soften the impact of breach notifications when they occur.

  • csia says:


Comments are closed.