Breach, Data Security

Breaches and implausible deniability

On Jan. 24, the European Information Commissioner's Office (ICO) fined Sony Computer Entertainment Europe Limited £250,000 following a breach of the Data Protection Act

The fine isn't really a significant amount of money for a company like Sony, but what is important is the logic behind the fine. Sony is being penalized not for failing to act on problems it knew about, but for its failure to identify the problems in the first place.

This decision is a clear indication that the concept of plausible deniability is dead, or at the very least dying. The days of refusing to look for possible IT and security threats with the potential to result in the loss of customer data are over. 

The argument that because the issues were unknown it was not possible for the business to fix them is no longer going to be accepted as an adequate defense. 

David Smith, deputy commissioner and director of data protection for ICO reportedly said, “There's no disguising that this is a business that should have known better.” To security practitioners, this is music to our ears. Putting your head in the sand and avoiding learning about security weakness surrounding your IP or your customers' information won't stop the attackers from looking for, finding and targeting those weaknesses. So claiming it is not your fault that they did is illogical and harmful for your customers.

What is the implication? Well Smith went on to say, “It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”

That means that a company can have a reasonable expectation of employing technical expertise and should be performing regular risk assessments of the IT environment, both internal and external. The question then becomes: What type of company would we have a reasonable expectation of technical expertise? Any company that derives some of its reputation or income from its online presence would seem like a candidate to me, as well as a company that would cease to make money if their IT infrastructure went away.

It is in the best interest of customer data that a strong message be sent to organizations that the expectation is that they are to be continuously looking for security issues and developing remediation and compensating controls to reduce or eliminate risk. This would make organizations more secure (and I would argue is likely to make them more efficient), while improving protection of customer data.

But is this possible? Despite what the movies might have told us, running a modern vulnerability scanner is something a child (or an executive) could do. So I find it hard to believe any organization does not have the internal capability to do that. But the critical point is not that they are looking for vulnerabilities, though they should be, but that they are determining which of the risks discovered represents business risk and should be remediated. Interestingly this is easier for a small organization because of the smaller number of assets that need to be assessed.

In summary, this is one of those seemingly rare examples where a ruling reflects what we all know to be true. If something is common knowledge and you fail to even consider doing it, then you are at fault for not even trying.

ng as much as someone else is at fault for trying and failing.

Alex Horan

From my first job doing data entry (where I discovered I could fix the computers better than anyone else in the company) until now, I have not lost my passion for new technology and helping understand how technology can best help individuals and enterprises achieve results, without getting in their way. I am a security-focused product manager who has strong experience leading teams and directing the growth and development of products. My background in start-up based Project Management means I am very comfortable meeting with customers, prospects, and analysts in order to determine the best investment we can make in our product development. I also enjoy communicating the needs of those disparate communities to the engineering teams, be it in agile or waterful development.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.