Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out:
You know data security breaches are way too common when a company builds a business around customer notification of stolen information.
and he ends:
I applaud companies that comply with notification requirements. It’s the right thing to do. But I’d think twice about doing business with a company that signed up for such a service. It gives the impression that a breach as inevitable, and they are just giving up.
I have two main responses: First and foremost, the emergent market for advice and management of these issues is a good thing. Companies need help, and they’re getting it. The costs of handling a breach will start to fall, because expertise in handling them will become available. (There’s also the interpretation that companies are investing in designing and marketing products indicates that they don’t expect breaches to be a flash in the pan.)
My second response is that I believe that many breaches are inevitable, because we don’t talk about what goes wrong, and we have no way to test much of the pablum suggested as “security best practices.”