Shostack + Friends Blog Archive


Massachusetts Analyzes its Breach Reports

Mass Data Breach Report.jpg
In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages.

There are many interesting bits in those four pages, but the two that really jumped out at me are:

  • The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.


  • The Hannaford breach (as understood in light of the HSBC notification) illustrates that data breaches not amounting to the breach of “personal information” have the potential to be as damaging as those that do involve such information.

What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new. It might, if you’ll forgive me, even be New School.

One comment on "Massachusetts Analyzes its Breach Reports"

  • jcran says:

    after just reading the ‘new school,’ it’s great to see this kind of information being publicized.
    keep up the good work.

Comments are closed.