The fifth lesson was of the legal system. As you recall, I chose to not involve the police. If I had, I likely could have filed charges against the boy. (Not sure if it would have been breaking and entering, since he didn’t seem to break anything.) I chose to not do this. There were several reasons:

• No harm, no foul.
• It would have taken a lot of time to deal with the paperwork… and I had a full schedule.
• I do not know how the law would have handled it, but to my own mind, I was just as negligent as he was.

In effect, I made a business decision that to involve the law would likely cost more (in time) than it was worth. Many people are faced with decisions like this, and most people have a different invisible line that must be crossed. I have known businesses that would call the police at the drop of a hat. I have also known business that would ignore successful network intrusions, considering them a “cost of business“.

In the event of a breach, most businesses consider it as follows:

• dollar amount stolen + dollar amount of lost time in repair
• dollar amount of successful prosecution times likelihood of successful prosecution - cost of successful prosecution - loss of trust in the market

It is often easier for a business to simply accept the loss than to risk greater losses by involving the legal system… but sometimes there is no choice. An increasing number of states have disclosure laws. If the breach involved any personal information (names, addresses, credit card numbers, social security numbers, etc), you may well be required to disclose the incident and accept any negative consequences that arise.

So, what is a business to do? First of all, you should have a lawyer that can help guide you through such a decision. Secondly, you should have a lawyer before a problem occurs - so that they are already familiar with your business. Third, you should know your data and know what possible ramifications might exist from storing it. Fourth, and optionally, you should have a security office or consultant who can look at your system and offer ways to limit risk and/or detect potential breaches. See, you’ll want to be the one telling your clients about the guy that broke in… not the newspapers.

Once you have these, your primary question should always be “Do I need to keep this data?“. If you are keeping information on users “just because“, and if that information would cost you if it got out… DELETE IT! It’s OK, if your users want you to have it, they’ll give it to you again.

My questions to you:

1. What data do you store on your employees, customers, clients, and partners?
2. If that information were stolen, how much could it damage you? (fines, lost clients, stolen clients, blackmail)
3. How many years would it take you to recover?

Related posts

• Real Life Lessons: Social Engineering (0)
• Real Life Lessons: Monitoring (0)
• Real Life Lessons: Defense in Depth (0)
• Real Life Lessons: Access Control (0)
• Real Life Lessons: The Story (3)