No. No. Not me.
I was meditating on reputation risk the other day, and behold, the Daily Dave belches forth the documents I sought. (I remembered something on Emergent Chaos on this topic, but hadn't dug deep enough into their archives.)
The study I remembered and cited by Adam Shostack was "Is There a Cost to Privacy Breachs? An Event Study."
The salient quote:
"[Privacy breach] impact is statistically significant and negative, although it isWhich is supported by anecdote (check out the TJX stock price).
So how do you convince your management to follow privacy principles? Appeal to the better angels of their nature? Start eavesdropping and pretexting them and see how they like it? (HP probably did as much good as the CDT, EFF or ACLU as far as advancing the privacy agenda in Congress).
I'm guessing the shift, as a result of the "privacy fatigue" and the "identity theft fatigue" should be to the high risk transactions, that expose the data's subject to verifiable risks, not just the lost computer tape or missing laptop. But I need data to support that, dagnabit. Else:
An' everyone can say what they wanna say, it never gets better anyway.