Shostack + Friends Blog Archive


Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected.” His team spent hours poring over a backup of the stolen laptop files.
(“Digital Data on Patients Raises Risk of Breaches“, Nicole Perlroth, The New York Times, Dec 18 2011)

This is the effect of trigger provisions: it’s the biggest headache in dealing with a breach. We shouldn’t be burdening businesses with the decision about what a significant risk entails, exposing them to the liability of making a wrong call, or risking that their decisions will be biased.