From: Allan Friedman (allan_friedmanksgphd.harvard.edu)
Date: Thu Mar 20 2008 - 10:13:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On the public policy issue, I agree. If you want companies to disclose
> the exact circumstances around a breach (exact technical details), there
> will have to be a shield that prevents plaintiffs attorney's from using
> the information in lawsuits.

You highlight an interesting trade-off. It may be the case that more
disclosure would reduce incentives to prevent future breaches,
depending on how we understand the problem.

A standard policy tool for enforcing maximum diligence is the threat
of lawsuits, massive ones that can wreck a corporation. If we follow
this liability argument (as advanced by Schneier and other scholars of
the economics of information security) then making concessions to
corporate defendants can impede the end goal of less data retention
and greater data protection.

If we don't think we're ever going to get there, then more data about
breaches for the purposes of research is clearly the greater good.
This is a very interesting dynamic. I'll have to think about how to
model it...

Allan Friedman
PhD Candidate, Public Policy
Kennedy School of Government
Fellow, Center for Research in Computation and Society
School of Engineering and Applied Sciences
Harvard University
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]