By Barbara Rogan, LogLogic General Counsel

Blame the victim.  This was a common defense in sexual assault cases I helped prosecute when I worked as prosecutor.  Unfortunately this mentality applies not just to rape cases, but also to companies where
critical data has been breached – even when the criminals are the ones stealing the data.

One of the biggest data breaches in recorded history hit Heartland Payment.  This is a bona fide case of the bad guys attacking networks and compromising critical data.  In Heartland Payment’s case, the data breach
wasn’t found for many months and Heartland Payments has no idea of how many credit card numbers were jeopardized.  Potentially millions of credit card
numbers, but no one knows for sure (or at least they are not saying so
publicly).  To deal with the publicity and legal fall out, Heartland
established a website (www.2008breach.com)
to deal with the breach.  The bad guys were caught pretty quickly after the
breach was discovered (see: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=214303553) 
and they have already pleaded guilty (see: http://news.cnet.com/8301-27080_3-10423008-245.html).  

But the fact that the bad guys were brought to justice did
not exonerate Heartland .  Just this last month, Heartland
Payments paid a settlement to American Express of $3.5 million for damages
associated with the breach.  Amex apparently was the smaller of the three
settlements Heartland will have to pay as they still have not settled with Visa
or MasterCard yet.

Okay, so Heartland is a big company, but smaller businesses
have been hit with law suits for failing to protect data.  RockYou, a Facebook
app, was recently sued in San Francisco in a class action lawsuit (see: http://news.cnet.com/8301-1009_3-10423042-83.html). 
Again it was certified bad guys stealing the data.  But because RockYou didn’t
take reasonable security precautions to protect that data, they are now facing
a very expensive suit and all the negative publicly that that entails.  I am
sure that RockYou didn’t want to get profiled by CNET for this reason.

Beyond the civil suits, there is the potential of criminal
action.  Just ask HealthNet and Wentworth-Douglass Hospital.  Both companies
have suffered data breaches that have resulted in investigations of  by their
state’s attorney general office (See here
and here). 

The bottom line is that no company should expect sympathy if
data in their care gets breached.  Consumers, plaintiffs, and regulatory
agencies are just as likely to blame your company as they are the bad guys.  
You’re the victim of the data theft, but unless your company has taken all the
available precautions it can, you’ll also be viewed as one of the “bad guys”

Shameless plug section: So how does this relate to LogLogic? One way  to make sure you have taken all
proper precautions is have complete visibility into the events in your system. It all starts with Log Management, and for visibility and control over your security environment, our Security Event Management. Check them out for more information.