$197 in 2008. The cost to consumers
varies by incident, but studies indicate
that victims spend between $600 and
$1,400 to resolve cases of identity theft,
in addition to whatever money was stolen or scammed from them.
How, then, to respond? Basic principles are easy to agree on: Reduce
software vulnerabilities, help users
understand the risks, and minimize
potential damage with secure network
architectures and exploit mitigation
techniques. Opinions differ, however,
about how to accomplish those goals.
Take software vulnerabilities, for example. Could new laws give companies
an incentive to reduce them? Do we
need new regulatory authorities? To
what extent can we even expect to make
“Secure code is the first link in the
chain,” says Charlie Miller, chief security researcher at Accuvant Labs. “
People say, ‘We’re human, we can’t write
perfect software.’ But we’re at 50% right
now. We’re not even close.” Miller suggests that vendors create a cooperative
fund to pay for the detection of bugs.
“If a 17-year-old kid in Romania finds
a bug, what will he do? Give it to the
vendor for nothing or sell it to a black
hat hacker?” Of course, some vendors
pay for bugs, and TippingPoint’s Zero
Day Initiative buys others, but the overall economic incentives tend to favor
Legislation offers a different approach.
In May, the European Commission
introduced a proposal to hold companies liable for damages caused by
faulty software. “We need to build trust
so that people can shop around with
peace of mind,” European Union consumer commissioner Meglena Kuneva
explained in a press release.
Historically, however, software-related damages have been difficult to
prove. “There have been loads of lawsuits around data breaches. The majority has been class-action suits, and I’m
not aware of any that succeeded,” says
Fred Cate, a law professor at Indiana
University and director of the Center
for Applied Cybersecurity Research.
Judges may dismiss suits because
the victims are too diverse to be certified as a class or because there is
no evidence they have been harmed
sony may spend
up to $1 billion
dealing with the
as a direct result of the breach. (
After all, Social Security and credit card
numbers are stored in many places.)
In 2006, for example, data aggregator ChoicePoint settled a U.S. Federal Trade Commission suit that was
brought after it reported the theft of
163,000 user accounts. ChoicePoint
established a $5 million restitution
fund, but transferred most of it to the
U.S. Treasury in 2008 after determining that only 131 consumers had presented valid claims.
Determining vendor responsibility
can also be difficult. Say you have a bot
on your computer that came through
a plug-in to your Internet browser and
compromised your operating system.
Which company is at fault?
For the most part, very little has
been done to legislate cybersecurity.
Beyond the fields of health care and finance, the majority of proposals have
stalled, and while U.S. and European
lawmakers are now trying to standardize the patchwork of local security notification laws that require companies to
alert the victims of a breach, the effectiveness of such rules may be limited if
notifications become too common and
consumers simply ignore them.
“Our legal response to this problem
has been unimaginative,” says Cate.
“There is, for example, no incentive for
cable companies to encrypt or secure
the modems they place in customers’
houses. As consumers, we have no incentive to use secure passwords, and
companies have no incentive to make
us use secure passwords. What if mo-
internet sites that offer
daily deals to consumers are
dwindling as the industry, led
by Groupon and LivingSocial,
begins to shake out, according
to a recent article in The Wall
the market has attracted
many imitators of the leaders,
but daily-deal-site aggregator
Yipit.com reports that 170 of the
530 daily deal sites in the U.S.
have either shut down or have
been sold this year. moreover,
even deep-pocketed companies
like facebook and Yelp, which
could capitalize on their large
audiences, have scaled back on
Why are daily deal sites
disappearing? one of the
biggest reasons is the shifting
economics of the business, the
Journal article reports. Although
starting a daily deals business
does not require much beyond
creating a Web site and finding
local merchants willing to offer
a discount, and the expense of
running a daily deals business
have risen significantly as the
industry has matured.
Specifically, it has become
much more costly during
the last two years to acquire
subscribers who redeem daily
deals, the article notes, citing
executives at daily deal sites.
While it did not take a large
amount of marketing to win
over early adopters, it now
requires more spending to reach
a broader audience and to stand
out from the competition. Also,
the sites now need to hire more
salespeople to procure coupon
offers from local merchants.
the Journal cites Groupon
as an example of how costs have
increased. Groupon spent about
$8 to acquire each subscriber
who redeemed a daily deal in the
first quarter of 2010, according to
regulatory filings. By the second
quarter of 2011, that figure had
nearly tripled to about $23.
overall, Groupon spent $379
million in marketing in the
first half of 2011, up from $35.5
million in the same period of
2010. many smaller daily deal
sites, however, simply do not
have the resources to compete
on that level.