Last Word: Schrodinger's IT security
Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the industry as a whole. This is the luxurious, wide-angle, perspective which is expected of an industry analyst.
Then a story such as the hacking of Verisign comes along. In October 2011, Verisign disclosed in a quarterly report to the SEC that: “The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements.”