Insuring Against Data Loss Losses

Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:”

As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another growing driver for new forms of insurance is the many government data compliance regulations that threaten stiff penalties for companies that cannot effectively defend their information, such as the Sarbanes-Oxley Act, according to Callahan.

Can someone explain to me why the world is going to end if we have to report breaches? Unpredictable costs are apparently going away.

A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so.

The nice folks in NY made the first one a freebie (about 150 pages), but since I told them I’d be making these requests regularly the charge has been 25 cents per page, so the latest batch of docs is $322.25.

I have no objection to NY charging this amount, and by the time you read this the check will be in the mail, but the growth rate scares me.

I have been scanning in these documents, and (sloooowly) working on a database-driven web page folks can use to get at them. The idea is to link this document repository to’s DLDOS archive. One thing that’s kind of cool at the moment is that my second batch of scans (linkage below) actually OCR’ed the docs, making them searchable. I’ll probably be crazy enough to let them get indexed by Google, too.

Anyway, if you think this work is worthwhile, and you trust me and can afford it, it’d be cool if you could send a few bucks my way to support this ongoing initiative. Any funds I get will be spent solely on expenses directly related to obtaining, filing, and scanning these documents for on-line examination and download. I do all the work myself, and will NOT be accepting or soliciting payment for my time. So far, I have spent maybe $10 on file folders and $71.75 in duplication costs paid to NY. I figure that henceforth 95% of the cost of this effort will be fees to various government entities, and 5% will be office supplies so I don’t drown in what I get back.

I want to make this easy, so I set up with PayPal
PayPal—eBay's service to make fast, easy, and secure payments for your eBay purchases!

If you prefer not to use that service (and that’s cool with me), but still want to help, you can email me at
and we’ll work something out.

I am maintaining an on-line record of how much I have spent on what, and how much I have taken in (but not from whom), so folks can get a sense of where any funds are going. Obviously, this all depends on me not lying to you, so maybe you should keep the contributions below four digits at first :^).

ZIP archives of my first two rounds of documents are available at

for those who are interested.



[Update: Link to record of expenses/contributions added.][…and fixed]

Hmmm…Breach Notification…Australia…

So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.)

So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor at a respectable Australian publication say:

When a data breach occurs, you obviously need to notify those affected. You definitely do not want to tell people that someone accessed their personal information in an e-mail. Users could easily mistake such an e-mail as a phishing attempt and delete it without reading it. (Emphasis added.)

[Updated: The article was picked up from Techrepublic–I think the point stands, but not as strongly.]

Goat Security

gavle-goat.jpgIt seems that the Gavle goat survived the holiday this year. Giant goats in Gavle seem to have about a 20% survival rate, with this year’s being only the 11th to survive the holiday season since 1966.

No word on what fire-retardant was used, which is too bad. How are other 13 meter straw goats supposed to learn from his experience?

The BBC story is “Swedish ‘goat’ defies arsonists.” Previously on Emergent Chaos, “13 Meter straw goat met his match.”

The Pragmatic Reviewer

pragmatic frame.jpg
Today Mike Rothman launched his new book “The Pragmatic CSO” at the astounding price of $97. I took the plunge and downloaded the introduction and it isn’t half bad, but aside from a cute dialogue at the beginning it doesn’t really read differently than any number of other security books I have on my shelf. The big difference seems to be the price tag. The other security books in my collection seem to be priced in the $50-$60 range and are professionally bound versus The Pragmatic CSO which is a downloadable pdf. So at this point not only is it nearly twice as expensive, but if I want a hard copy I need to spend even more money printing it out myself. On the plus side, Mike does have a 30 day money back guarantee, so I suppose I could shell out the money and then decide if I like it or not.
I do have a question for Mike though. On the website, under “Still Skeptical” is a short essay extolling the book by “Mike (the security products addict)”. I’m curious who this might be, care to share? No one has ever quoted me as Arthur for a product pitch, but they have under my real name. So even though it’s a little ironic for someone blogging under a pseudonym to call someone else on it, come on, name names. Whomever they are, this quote in particular caught my attention:

I can say that buying the Pragmatic CSO book was the best $97 I spent all year. For less than I spend at Starbucks a month, I was able to get back in control of my security environment. In hindsight I would have paid 20 times the price. Even better, YOU HAVE NOTHING TO LOSE. If you don’t like the book, just ask Mike Rothman for your money back within 30 days – no questions, no heartburn.

That’s quite a powerful statement coming from in response to a
newly published book. I’d love to hear more about how the book helped them. Perhaps you could broker a conversation with them at RSA? Or is this just one of those PR generated quotes that, as an analyst, you hate so much?
[Image from Z Production]

When Planes Fell From the Sky

c-42 crash.jpgThe excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:”

In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the time an airplane crashed in my neighborhood. It set me to thinking. Here’s my story on it…

While his story seems like one of incredible bad luck and improbability, it really isn’t so. In fact, my research shows that in the years 1950 through 1956, planes fell from the sky on south Minneapolis with astounding frequency — dramatic enough to make news, but not so unusual to be considered really exotic.

What Bill Gurstelle doesn’t talk about is how the airline industry stepped up and fixed the problems. It was an aggressive and purposeful embrace of transparency. Accidents got investigated, written up and talked about. Lessons were analyzed and taught. And air travel got safer. It reminds me of the bad old days of hiding vulnerability information and breach reports. We didn’t talk about buffer overflows, and from 1973 to 1996, there was no class fix for them. It was the same thing with breaches. Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.

Photo from Washington State Historylink.

Five Things You Don't Know About Me

Dear Bob,

You may think I’ve been ignoring your post, but I’ve been trying to decide how to approach it. This morning, courtesy of Scoble, I found Hugh McLead’s post on the subject:

  • I dislike you intensely.
  • I love it when bad things happen to you.
  • When your name is mentioned I immediately try to change the subject.
  • I wouldn’t read your blog if you paid me.
  • If we were trapped on a desert island together I would kill myself.

And finally, I often quote Bob Blakely as saying privacy is the right to lie and get away with it.

I anti-tag the Matasano Five to exempt them from the meme: Dave, Dino, Jeremy, Tom and Window, you have a ‘get out of blogging free’ card.