I have worked in payment card security since 2000 when I was involved with Visa in writing/re-writing/updating the CISP.  Since that time I have had opportunity to work with Visa and MasterCard, work as a QSA, and QSA Trainer.  During that time I have had many opportunities to work with compromised companies and review data forensic reports.  I am disturbed by the article I found on MSNBC.com titled “After Data Loss ID Theft Soars”. One of the first paragraphs in the article provide language from what they refer to as the Dear John letters:

“Dear Consumer. We’ve lost your personal information. It’s fallen off a truck/was on a laptop that was lost/was stolen by a hacker. We’re sorry and we promise to be better in the future. Good luck.”

In my experience, I have seen few, if any companies actually LOSE data.  I have seen it stolen many, many times.  I find the assumption that somehow the victim was at fault troubling.  There seems to be a perception among the media that the victim was at fault when data is compromised.  It would be difficult to envision the same attitude being applied to a bank robbery, a burglary, or a kidnapping.  Imagine the following:  ”Dear Mark family,  We’ve lost your son. He’s been lost from a ship off the coast of Eastern Africa that was hijacked/was attacked by a pirate.”  Clearly this is ridiculous position to take in kidnapping yet we are quick the blame the victims of data breaches.

Now before the critics start talking about non-compliance, and other issues that are part of the reason the company was vulnerable.  Clearly there are things that could have been done better.  Hindsight is a wonderful characteristic.  Unfortunately we don’t have the benefit of hindsight before an event occurs.  The same argument can always be made about any activity.  ”The ship should have avoided Eastern Africa so they are at fault.”…”The bank should have had thicker vault doors.”  We can always second guess any situation and say that the victim should have done better.

The purpose  of this post is not to say that companies who are compromised could not have done things better.  In some cases, the companies were clearly negligent.  The purposes is simply to say that companies that are compromised are not completely responsible and are victims of crime.  They did not simply ‘lose’ the data.