Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Are we becoming desensitized to data breaches?

Published: 2009-02-08
Last Updated: 2009-02-08 21:50:46 UTC
by Mari Nichols (Version: 1)
1 comment(s)

Maybe it's just me, but are all of the mass media reports of data compromises causing us to become desensitized to the dangers of poor security practices or are they helping?  This question lately became significantly more valid to me personally. 

First, the breach of Heartland late last year was instrumental in allowing budget money to be released for security projects.  Should I be grateful that Heartland had a potentially larger breach than possibly TJX?  Timing is everything when working on a security project and the release of that breach notification helped mature in the InfoSec process for many organizations. 

Second, having spent the better part of last year diligently working on writing ISO standard policies and the resulting agonizing process of IT governance development, I have found these breach notifications to be extremely helpful to my cause.  As part of the ISO 27001 ISMS (Information System Management System) policy development, I included a listing of US state breach notification law.  (This also helps with remembering to update the policy quarterly.)  Any organizations who deal with credit card information from diverse geographic locations are required to understand the breach notification requirements of their customers locations, including internationally.

Last month, I received a well-worded letter from Wyndam Hotels informing me that my personal information had been compromised by a "very sophisticated hacker".  Well, that very carefully chosen wording did get a chuckle from me, but then reality hit me.  I am officially a victim of the war we fight every day.  I'm not privy to the details of the hack, (although I tried)  but it did feel entirely different being a victim. As a result, I spent quite a few hours protecting my personal data.  Thank goodness they notified me and offered the free credit reporting services before my information was actually stolen.  According to the law, they had no choice but to let me know. 


Mari Nichols  iMarSolutions




Keywords: breach ISO law
1 comment(s)
Diary Archives