In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages.
There are many interesting bits in those four pages, but the two that really jumped out at me are:
- The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.
- The Hannaford breach (as understood in light of the HSBC notification) illustrates that data breaches not amounting to the breach of “personal information” have the potential to be as damaging as those that do involve such information.
What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new. It might, if you’ll forgive me, even be New School.