Shostack + Friends Blog Archive

 

Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” [link to http://www.securitycatalyst.com/blog/2008/11/breaches-cost-companies-customers/ no longer works] and Alan Shimel dissents in “Do data breaches really cost companies customers?” [link to http://www.stillsecureafteralltheseyears.com/ashimmy/2008/11/do-data-breaches-really-cost-companies-customers.html no longer works]

Me, I think it’s time we get deeper into what this means.

First, the customers. Should they abandon a relationship because the organization has a security problem? To answer this, we first need to look at the type of organization. For governmental organizations, it’s very hard. They won’t let you go, and if they do, they won’t destroy your dossier the dossier about you.

For regulated entities, they generally may not delete the information they collected for some number of years (varies, but always sufficient for them to lose control of the data again).

For unregulated entities, you can’t (in the US) ask them to delete the database record either.

So for most breaches, the only value to abandoning the relationship is to stop paying the company. Which is a reasonable bit of retribution, but doesn’t actually add to security, and may subtract from it. It could subtract because (assuming you replace the service you were getting) there’s now an additional dossier about you.

Second, what’s the discrepancy? Why do 30% of customers report having closed a relationship, but Ponemon’s own numbers show a range of 2-7%? There are three hypothesis which spring to mind.

  1. Consumers are confused or lying. This would only make sense if you think the American people are idiots. The sort of folks who would think Iraq had chemical weapons in 2002 buy books titled “neurosurgery for dummies.” [link to http://www.tauroscatology.com/brain02.htm no longer works]
  2. Consumers are right, and closing one of several relationships. All those numbers could be right, if consumers are getting more notices than we think. This would be one of many problems with our volunteer based systems for tracking breaches.
  3. The discrepancy is really notices sent versus notices received. That is, people are not opening the “Dear John Doe” letters.

4 comments on "Do Security Breaches Cost Customers?"

  • Ted Doty says:

    What happens if essentially an entire industry is compromised, like the German Banks? What should a consumer do? What can a consumer do?
    http://www.theregister.co.uk/2008/12/09/stolen_german_bank_accounts_for_sale/

  • Adam says:

    Ted,
    There are a couple of problems with the German bank situation. The first is the exposure of personal information, the second is the abuse of banking details, and the third (in the US) would be the credit impacts of the abuse of the information.
    As to the first, I don’t have a clear answer. There are people who reasonably want to protect the privacy of where their home is–celebrities, government officials who make unpopular decisions, those under threat of personal violence from an ex-partner. The banks have contributed to a risk of personal injury there.
    The current abuse of banking details can be dealt with through re-issuance, re-numbering and re-authentication. This will be expensive for the banks and their customers, although perhaps less expensive than fraud. We don’t know.
    The final bit, the ongoing implications of impersonation requires a response in line with how the country’s credit reporting systems work. I’ve discussed this before in posts http://www.emergentchaos.com/archives/2008/02/the_real_problem_in_id_th.html http://www.emergentchaos.com/archives/2008/06/identity_theft_is_more_th.html I’m not sure if these solutions would work in the German context.

  • David Brodbeck says:

    There may also be an assumption on the part of consumers that the problem is pervasive. What’s the point in changing companies if the new one will be just as bad?

  • ds says:

    >>
    There may also be an assumption on the part of consumers that the problem is pervasive. What’s the point in changing companies if the new one will be just as bad?

Comments are closed.