Market Fresh

A curious discussion of terror risk, and a terror prediction futures market by some GMU economist types and at the Chronicle's Footnoted blog.

I don't know enough to about econ to assess the value of such a market, but I do wish that some one would set up a Privacy Breach Futures Market so we could make the security analystas put their magic quadrants where their mouths are. (Or vice versa: whichever would be more unpleasant.) Viz, the TJX OMG!!1! MILLIONS IN PWNAGE!! NO!!BILLIONS! analysis found on Computerworld. Maybe something more along the lines of buying squares in a football pool would offer as much predictive value as the collective voices of these cats.


Photo courtesy The Prodigal Son.


And yes, this is the second consecutive post with a Broken Social Scene related title. Because Broken Social Scene are one of my top five most favorite things that are Canadian.

I Feel That It's Almost Crime

Imagine Monster put a click-through license on the malware, adjusted the privacy policy a tad (include an opt-out for additional "services"), and voila! It's not a privacy breach, it's an additional revenue stream! The 1.6M bits of Monster job hunter data is at least as hot as the Glengarry leads.

Imagine that Certegy/Fidelity records were not sent in wild cascading romp through the land of data brokery by the actions of a rogue database administrator, but through a perfectly legal contract. (As Mr. Certegy assures us, the data was sold to legitimate data brokers.) So the whole thing is a just a crossed "T" or dotted "I" away from being 110% on the up and up. Instead of class action, we'd be talking steak knives and Eldorados!

It's just semantics. "Data broker" = "Identity Thief." "Lead Generation" with "Privacy Breach."
It's all the same. But the Yukon keeps me up all night, and it feels like it's almost crime.

SSNS ON THE LOOSE! (Legacy Edition)

I'm trying to understand the newsworthiness of the latest episode of "SSNS On The L0OzE. OMG!!1!!"

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for 'em. Contractor looks for 'em. Then they find 'em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn't state the format of the tapes, but I'm guessing it's EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his "legacy" villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK".)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.

I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.



Diamonds Are Forever image courtesy Xeni.

Go Ask Alec Baldwin

SSL apostate Ian G. refers to an article on estimation of loss due to a privacy breach.

I think we are measuring the wrong thing, and operating on these assumptions is dangerous.

From the article, a Forrester analyst says:

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number."

The $90 - $305 range smacks of too much precision and not enough accuracy. Only software project managers can get away with ranges like that. These numbers are more harmful that worthwhile. Most of these factors are not driven by record count (legal fees, stock plummets or lost productivity). Record specific costs are generally lower (call center and postage - and if you lose enough records, you don't even have to mail notices). So let's just call it BTUs per furlong and call it a day. And I don't think "customer losses" is as important in assessing the risk as "losses to customer."

The next Forrester quote underlines the problem I have with the general corporate thinking about privacy breaches:

"Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."

The reason you could get away with just fixing it and moving on was because the company did lose anything it owned. What it lost was owned by its customers. Losing one bit of highly sensitive data about one litigious customer could cause more damage that a dozen laptops filled with the SSNs of 10 million people.

It's the "loss to the customer" that will drive your high dollar PR and legal efforts, which have scale, and can dwarf your call center and postage costs in an afternoon.

I'd like to take the data, rehash it according to type of breach, sensitivity of data and litigiousness of customer. Then I think you'd start on the road to a meaningful metric.

Repost Redux: Special SXSW Edition

Having read a few additional commentaries, I began to think some more on two issues I posted about earlier.

Greg Abbott vs. The County Clerks
Mordaxus at Emergent Chaos says we need to chill, which made me wonder if there was less to this issue than I previously thought. The more I think of it, thought, the less appealing the whole mess appears. The clerks routinely sell the data in their charge to data brokers. The Open Records Act (Texas' FOIA) allows the clerks to charge for the records. By redacting the confidential parts, the data would be less attractive to the brokers, and the clerks revenue stream might dry up.
The clerks are digitizing and distributing information on the Internet beyond the scope of its original purpose, and counter to Texas law. I don't have a problem holding these folks accountable to the law and their duty as custodians of the data. I will be having a beer or three at SXSW, though, probably at the Yard Dog and at Woody's.

The Hacker vs. The Corporation
Both Emergent Chaos and ArsTechnica have things to say about the study I posted about yesterday. EC posted a link to the study, but after reading it, I don't think I've changed my mind. I am, in fact, more confused about the purpose of the study than before. The distinction between "hacker" and "corporate malfeasance" does not strike me as interesting as the distinction between "stolen" and "lost." The question for me as a consumer remains a question of risk. Am I more likely to suffer damage to my reputation or finances if my personal data is "lost" or if it is "hacked"? No doubt frequency is part of the equation, but so are the capabilities and intention of the threat.

Photo of the Casting Couch in action by me.

Charts 'n Graphs

From Pogo, this article from Physorg on the classic Evil Hacker v. Evil Suit dilemma. From the article:

If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.

Goodness. This article seems to do more damage than good in increasing awareness of the privacy issue. The key bit of data that seems to be missing is the damage. More from the article:

Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches

So, how many fraudulent charges were made, fake IDs manufactured or reputations horribly disfigured by each category? The author of the study adds:

"And the surprising part is how much of those violations are organizationally prompted – they’re not about lone wolf hackers doing their thing with malicious intent."

So, would you rather Big Nameless Credit Card Company notify you:

A. that your name/credit card/SSN/date of birth were lost at an airport while stored on an encrypted laptop hard drive

OR

B. that Lone Wolf Hacker sniped your digits of their server (running unpatched IIS 2.0 on unpatched Win98)

Of course I can't prove that either scenario is inherently more dangerous for the consumer. I can just shake my angry fist at the data.

Impacted Molars: Misguided Ninja Dudes and PCI Awareness

MESIAL
Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

LINGUAL
The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."

The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

With The AM Radio On

The imperial raftload of opinions on who really is the victim of credit card fraud, stemming from the Boston Globe article on the legislative reactions to the Stop and Shop Skimming Shenanigans, is centered around this quote as much as any:

"If this legislation passes, all retailers, all companies, and all
banks will know they'll be responsible for absorbing every cost
associated with a data breach."

Of course that quote doesn't make a whole lot of sense once you parse it, it just seems to be pluralizing the victims in a bizarre twist on bystanderism, i.e., if were just going to sit around and watch the crime happen, let's all be victims!

Most puzzling to me are the voices of the outraged merchants on the Slashdot thread, sounding too much like a hoodlum's fence pleading ignorance to the cops on the legal state of goods in his possession. The merchants are no doubt getting the shaft in the current credit card fraud scheme. They may not have the financial resources and high powered lobby as the banks and credit card outfits, but the merchants do have the capacity to do more to validate a transaction that to make sure the magnetic strip is functional. Are credit card transactions getting to the point were they need to be validated as vigorously as a personal check. Remember those?

I see a business opportunity here. Heck, I'm in love with the modern world and I'll be out all night.

The Lost Wallet vs. The Mugging

According to the new round of disclosure laws that sprouted up out of state houses in the past couple years, if an outfit loses your data, they ought to let you know. The notice if familiar to just about anyone either attended an institution of higher education, applied for credit or was issued a Social Security card.

"Dude -
We lost your information in a way we may or may not describe to you.
Sorry.
Love,
The Man"

The Dude reads the letter, cusses, and hopes for the best.
Of course this doesn't work in the real world. Consider the alternative:
Dude loans his ATM card to his buddy to grab a sixer and pack of butts at the Sunshine Mart. Bud comes back without card nor highly taxable products. The Dude has some key risk assessment questions to ask, primarily, "Did you lose it, or were you mugged?"

This question is key, and when extrapolated to the Man's letter, exposes why disclosure laws generally suck in protecting the Dude. The Man isn't required to fess up as to the how and who of the incident, so the Dude can't make an informed decision. Does he call up the bank, cancel the card, bum butts and distill moonshine until the bank gets it all figured out? Or does he ask Bud to go crawl back into the Chevette and dig around between the seats?

SB1386 and its cousins don't require the Man to give the Dude enough information to make an informed decision. There's a difference between privacy and compliance. Compliance can really suck.