Dark Reading has posted an interview with Ponemon regarding the latest Breach notification study. The study claims Costs Of Data Breaches Much Higher In U.S. Than In Other Countries

“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.”

This is not accurate. There are at least twenty four countries in the world with breach notification requirements that involve suspected loss, as I explain in my presentations on breaches.

The UK, for example, requires public entities to disclose a breach after media is lost or missing. This is the reason you will find reports about them in the news. Commercial entities are less regulated, but it is not accurate to say notification doesn’t happen anywhere else in the world.

The Money Stop gives a good example from last month:

The HMRC office that has been involved in the latest breach is the same one that lost the details of 25 million people on discs back in 2007, raising a major alert over identity theft and security.

Why would they disclose this breach or the one three years ago when they only suspect records may be affected? They are required to do so by the Information Commissioner’s Office (ICO) under the Data Protection Act (DPA) of 1998. The Department of Work and Pensions, DVLA and other government bodies have also reported breaches, as documented in the list of DPA violations.

Ponemon’s study gives a few numbers for impact:

Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.

I question whether they have found the right cause or they rely too much on a correlation.

Today’s India Times article on malware statistics has an almost boastful tone as they say India is no. 3 haven for hackers

The country saw an average of 788 bots per day during 2009. Bots are malwares that turn computers into zombies and there were 62,623 distinct bot-infected computers observed in the country during 2009. Amongst the cities in India with the highest number of bot-infected computers, Mumbai figured at the top with 50% followed by Delhi at 13% and Hyderabad at 7%.

The recipe for malware growth, both in terms of infection and generation, comes from network speed and ubiquity of hardware.

Symantec suggests this briefly in their April 2010 Global Internet Security Threat Report.

Brazil’s significant increases across all categories
are related to the growing internet infrastructure and broadband usage there.

How much growth? Over what period? The more systems connected, in other words, with high-speed access the more malware you should expect. The article does not give this analysis, nor does Symantec. The more interesting statistic would be the percentage of total systems infected relative to the total number of people with systems and the rate of change, instead of just who has the most infected systems.

Australian researchers have tried to train endangered species to not eat poisonous large toads. It seems to be working.

The challenge, explained Dr Webb, was that the toads have very large toxin glands in their shoulders, primarily containing chemicals called bufadienolides, which can very quickly induce a cardiac arrest.

“The quolls see the toad as a big frog,” he explained.

“It looks good to eat, so they just pounce on it and get a fatal dose of toxin. There’s no chance they can learn from the encounter.”

Now they are being trained by a bad experience from toad-meat that will not kill them. The researchers have worked before with feral cats. Next the question becomes whether this would work for species such as coyotes and wolves.

Tax-time seems like an appropriate time to make note of the IRS Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.