Dan Munro had an interesting conversation with Jeff Williams of Contrast Security at BlackHat, which led to a draft scoring system for data breaches and corporate responses:
- Tone – Is the announcement apologetic and not blaming? Does it acknowledge that there should have been better defenses and that the breach should have been detected and been able to stop the attack?
- Timeline – When was the initial break-in? When was it discovered? How long to disclose?
- Scope – What information was stolen and what control was lost?
- Size – How many people were affected? How many servers?
- Root Cause – What was the underlying vulnerability that was exploited? What defenses are in place and how did the attack bypass the defenses?
- Discovery – Who discovered it? Victims? Security firm? Why didn’t you know earlier?
- Remedy – Are you really making victims whole? For how long? [Personal Health Information – PHI is literally lifelong]
- Future – What are going to do to prevent future/similar attacks?
- Blame – Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?
- Oddities – Were there any oddities to the timeline not making sense – or details that stretch credulity?
Read more on Forbes.