Communications - November 2011

$197 in 2008. The cost to consumers varies by incident, but studies indicate that victims spend between $600 and $1,400 to resolve cases of identity theft, in addition to whatever money was stolen or scammed from them.

How, then, to respond? Basic principles are easy to agree on: Reduce software vulnerabilities, help users understand the risks, and minimize potential damage with secure network architectures and exploit mitigation techniques. Opinions differ, however, about how to accomplish those goals. Take software vulnerabilities, for example. Could new laws give companies an incentive to reduce them? Do we need new regulatory authorities? To what extent can we even expect to make bug-free software?

“Secure code is the first link in the chain,” says Charlie Miller, chief security researcher at Accuvant Labs. “ People say, ‘We’re human, we can’t write perfect software.’ But we’re at 50% right now. We’re not even close.” Miller suggests that vendors create a cooperative fund to pay for the detection of bugs. “If a 17-year-old kid in Romania finds a bug, what will he do? Give it to the vendor for nothing or sell it to a black hat hacker?” Of course, some vendors pay for bugs, and TippingPoint’s Zero Day Initiative buys others, but the overall economic incentives tend to favor would-be attackers.

software Damages?

Legislation offers a different approach. In May, the European Commission introduced a proposal to hold companies liable for damages caused by faulty software. “We need to build trust so that people can shop around with peace of mind,” European Union consumer commissioner Meglena Kuneva explained in a press release.

Historically, however, software-related damages have been difficult to prove. “There have been loads of lawsuits around data breaches. The majority has been class-action suits, and I’m not aware of any that succeeded,” says Fred Cate, a law professor at Indiana University and director of the Center for Applied Cybersecurity Research.

Judges may dismiss suits because the victims are too diverse to be certified as a class or because there is no evidence they have been harmed

according to
industry experts,
sony may spend
up to $1 billion
investigating its
multiple data
breaches and
dealing with the
attendant problems.

as a direct result of the breach. ( After all, Social Security and credit card numbers are stored in many places.) In 2006, for example, data aggregator ChoicePoint settled a U.S. Federal Trade Commission suit that was brought after it reported the theft of 163,000 user accounts. ChoicePoint established a $5 million restitution fund, but transferred most of it to the U.S. Treasury in 2008 after determining that only 131 consumers had presented valid claims.

Determining vendor responsibility can also be difficult. Say you have a bot on your computer that came through a plug-in to your Internet browser and compromised your operating system. Which company is at fault?

For the most part, very little has been done to legislate cybersecurity. Beyond the fields of health care and finance, the majority of proposals have stalled, and while U.S. and European lawmakers are now trying to standardize the patchwork of local security notification laws that require companies to alert the victims of a breach, the effectiveness of such rules may be limited if notifications become too common and consumers simply ignore them.

“Our legal response to this problem has been unimaginative,” says Cate. “There is, for example, no incentive for cable companies to encrypt or secure the modems they place in customers’ houses. As consumers, we have no incentive to use secure passwords, and companies have no incentive to make us use secure passwords. What if mo-

Internet

Daily
Deals
Shakeout

internet sites that offer daily deals to consumers are dwindling as the industry, led by Groupon and LivingSocial, begins to shake out, according to a recent article in The Wall Street Journal.

the market has attracted many imitators of the leaders, but daily-deal-site aggregator Yipit.com reports that 170 of the 530 daily deal sites in the U.S. have either shut down or have been sold this year. moreover, even deep-pocketed companies like facebook and Yelp, which could capitalize on their large audiences, have scaled back on the service.

Why are daily deal sites disappearing? one of the biggest reasons is the shifting economics of the business, the Journal article reports. Although starting a daily deals business does not require much beyond creating a Web site and finding local merchants willing to offer a discount, and the expense of running a daily deals business have risen significantly as the industry has matured.

Specifically, it has become much more costly during the last two years to acquire subscribers who redeem daily deals, the article notes, citing executives at daily deal sites.

While it did not take a large
amount of marketing to win
over early adopters, it now
requires more spending to reach
a broader audience and to stand
out from the competition. Also,
the sites now need to hire more
salespeople to procure coupon
offers from local merchants.
the Journal cites Groupon
as an example of how costs have
increased. Groupon spent about
$8 to acquire each subscriber
who redeemed a daily deal in the
first quarter of 2010, according to
regulatory filings. By the second
quarter of 2011, that figure had
nearly tripled to about $23.

overall, Groupon spent $379 million in marketing in the first half of 2011, up from $35.5 million in the same period of 2010. many smaller daily deal sites, however, simply do not have the resources to compete on that level.