How To

The Complete Guide to Security Breach Disclosure

Six-part set of articles takes 360-degree look at the implications of new laws that require organizations to notify people whose personal information has been compromised

By Sarah D. Scalet

February 29, 2008 — CSO —

CSOonline.com has published the sixth and final installment of a ground-breaking month-long series on the legal, logistical and cultural implications of the mandated disclosure of security breaches. The series includes:

* an interactive map of state breach disclosure laws
* a read-between-the-lines look at two breach notification letters
* advice on how to respond to a data breach disclosure letter
* an analysis of a new health-care disclosure regulation
* an interview with a prominent attorney about pending disclosure legislation, and.
* an essay exploring the implications of breach disclosure.

The last piece, written by CSO Executive Editor Scott Berinato, is a retrospective on what Berinato has learned about evaluating risks to himself and his family. In the essay, "The United State of TMI," Berinato concluded the countervailing force to what's become an overwhelming amount of disclosure about risks is to find ways to get control of the situation. He writes:

We have many ways of creating a sense of control. One is lying to ourselves. "We're pretty good at explaining risks away," says Paul Slovic, former president of the Society of Risk Analysis. "We throw up illusory barriers in our mind. For example, I live in Oregon. Suppose there's a disease outbreak in British Columbia. That's close to me, but I can tell myself, 'that's not too close' or 'that's another country.' We find ways to create control, even if it's imagined." And the more control--real and imagined--that we can manufacture, Slovic says, the more we downplay the chances a risk will affect us.

Conversely, when we can't create a sense of control over a risk, we exaggerate the chances that it'll get us. For example, in a column (near the bottom), Brookings scholar Gregg Easterbrook mentions that parents have been taking kids off of school buses and driving them to school instead. Part of this is due to the fact that buses don't have seat belts, which seems unsafe. Also, bus accidents provoke sensational, prurient interest; they make the news far more often than car accidents, making them seem more common than they are.

Yet, buses are actually the safest form of passenger transportation on the road. In fact, children are 8 times less likely to die on a bus than they are in a car, according to research by the National Highway Traffic Safety Administration (NHTSA). That means parents put their kids at more risk by driving them to school rather than letting them take the bus.

Faced with those statistics, why would parents still willingly choose to drive their kids to school? Because they're stupid? Absolutely not. It's because they're human. They dread the idea of something out of their control, a bus accident. Meanwhile, they tend to think they themselves won't get in a car accident; they're driving.

To read the rest of the essay and series, see the Related Articles below.

Other stories by Sarah D. Scalet

• Email
• Print
• Comments
• Digg This
• SlashDot

• CSO Disclosure Series | Reporter's Notebook: The United States of TMI
• CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
• CSO Disclosure Series | User Education: How to Respond to a Data Breach Disclosure
• CSO Disclosure Series | What California's New Medical Disclosure Law Means for the Rest of Us
• CSO Disclosure Series | What's Next with Disclosure Legislation?
• CSO Disclosure Series | Data Breach Notification Laws, State By State