My Remaining Challenge to Adam Shostack on Breach Disclosure

I’d like to thank Adam for a healthy debate (and a provoking paper) about breach disclosure. We’ve jointly decided to conclude our debate in a gracious manner. While I’m sure both of us will discuss this further down the road, I hope that this debate has engaged people to think about the breach disclosure issue.

Without further adieu, here’s my final post on his paper and my reply to his post, We Have Nothing to Fear But Fear Itself.

On reading Adam’s post, I was surprised to learn that my most significant question posed to him was not answered in a substantial manner.

My challenge to Adam remains:

What do you propose that would allow for better, more accurate and confidential disclosure that does not leak sensitive information?

His reply was,

“I’m proposing widely shared data.”

This is not a pragmatic framework. And that remains my challenge to Adam:

Create a framework for information security breach disclosures that will allow the public to be informed, allow academics to conduct the proper study of breach disclosures and protect the breached corporation (as much as warranted).

I believe that my proposal for partial disclosure is a pragmatic start. My initial proposal (which is certainly open to revision) of a centralized breach disclosure repository is a clear one; professionals, business people have an understanding of what and how such an entity would function. Is it perfect? No. It has its flaws, but these are the types of organizational structures that have been created in the past and work (as best as possible).

Please take note: I’m open to other possibilities.

I proposed partial disclosure due to liabilities that may arise from releasing information. The liability threats are real: Just ask anyone who’s been audited for SOX. An increase in knowledge is not a sufficient business reason why a corporation would open one’s self up to possible litigation. So, Geer’s General Council remark is correct in this respect. A law (such as SB1386) is the primary motivating factor in these cases.

Reducing liability through the confidentiality of one’s internal operations are in the corporate interests. Releasing some (not all) information regarding security breaches is in the interest of the public. Both interests could be and should be satisfied.

Post a Comment

Your email is never published nor shared. Required fields are marked *