[Owasp-portland] Owasp-portland Digest, Vol 13, Issue 1

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Tue Feb 8 01:48:41 EST 2011

Hi Mel,

Thanks for sharing your experiences.

> Given this history, I expect little to nothing to be done by businesses
> to comply with Oregon (or any other state's) data breach notification
> statutes until they start seeing their peers getting some significant
> fines handed down and loosing business due to the publicity of breaches.
>  Perhaps at some point the cost to comply will be less than the various
> risks of getting caught with your pants down on this.

Yes, I think that's an keen observation.  I frequently forget, and am
reminded with equal frequency, that decisions about compliance tend to
come down to some approximation of:

[cost of compliance] >? [cost of breach]*[chance of being caught]

In many cases, businesses estimate the likelihood of being caught to be
very low.  In the case of a new law like this, if no one has been
prosecuted under it, then businesses would be reasonable (statistically,
not ethically) in estimating that the likelihood of being caught is
precisely 0.


More information about the Owasp-portland mailing list