Shostack + Friends Blog Archive



Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach.
According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to in the VA case, this sort of approach would almost certainly be much less costly than services like Equifax’s CreditWatch, which are often offered to those whose information has been revealed by a breach.
I think what we’re seeing here is the leading edge of a trend. Firms are applying (what they think is a) risk-based approach to determining what level of post-breach response they provide (if any) to individuals whose information is involved. This is similar to the risk-based notification triggers which some think wise. I would look for more of this, as firms become more knowledgeable about their options, they will become more discriminating in their responses.

One comment on "Trendspotting?"

  • LonerVamp says:

    This reminds me of a scene in the movie Pitch Black. Vin Diesel’s character is asked if he sees any danger up ahead. He says, “Looks clear.” The group makes a sigh of relief, someone moves forward, and the person is immediately scooped up by some large carnivorous creature. The astonished survivors look at Vin wondering why Vin would seemingly lie to them. He replies, “I said it *looked* clear.” They begrudgingly ask him again and he replies with an amused, “Looks clear.”

Comments are closed.