Book Review: Breached! by Daniel J. Solove and Woodrow Hartzog
Book review of Breached! by Daniel J. Solove and Woodrow Hartzog
I just finished reading Breached! by Daniel J. Solove and Woodrow Hartzog.
This book dives into how current data security laws often miss the mark by focusing too much on breaches rather than prevention and accountability. While this specific topic was controversial, it offered some valuable insights on how we can shift our focus. One major takeaway is the role of human error in data breaches, we need to address security at both the technical and human behavior levels.
Reading this gave me a deeper understanding of what organizations actually go through when a breach happens. I now realize that too much effort is spent on dealing with the aftermath, rather than building systems to prevent breaches in the first place. While I didn’t agree with everything in this book, I do believe that addressing the root causes is crucial. The cost of breaches goes beyond just money. Reputation, trust, and legal consequences are all on the line.
A good point in the book is that privacy enhances security. Strong privacy rules create accountability and reduce vulnerabilities by minimizing unnecessary data collection and retention. Good privacy practices are foundational to real security.
If you’re into cybersecurity law, data privacy, or breach awareness, this book is worth the read. Some examples get a bit repetitive, but the core message is good.
The Book in 3 Sentences
- It explores how to improve the legal approach to data security.
- Challenges the effectiveness of current breach-focused laws.
- Pushes for shifting toward prevention at both technical and human behavior levels.
How It Changed My Thoughts
- It gave me a new perspective on how a breach affects a company beyond just technical recovery.
- I saw how legal responses often focus more on reporting and punishment than on fixing what went wrong.
- I think the law needs to focus more on mitigating the impact of breaches and preventing them in the first place, not just punishing companies after the fact. (Which does seem to be improving)
Most Important Takeaways
- Perfect security isn’t possible, but damage can be minimized.
- Human error is the #1 weak point, ot just the tech.
- Litigation adds cost but rarely prevents future incidents.
- Strong privacy reduces breach risks.
- We need to design systems that work with human behavior, not against it.
The Common Plot of Breach Stories
- The big spend wasn’t enough - Organizations spend heavily on security but miss small, critical details.
- Human error opened the door - Phishing scams, misconfigurations, and unpatched software are common entry points.
- Vendors were a weak link - Smaller vendors often have weaker security, creating a backdoor for hackers.
- Too much data was being kept and stored together - Excessive unneeded/poorly segmented data increases breach impact.
- Devices always seemed to disappear - Stolen devices, especially unencrypted ones, pose significant risks.
- Data was not encrypted - Many organizations still fail to encrypt sensitive data.
- One click was all it took - Phishing remains a major vulnerability.
- Lessons weren’t learned - Companies (especially smaller ones) often have the “it won’t happen to me” way of thinking and fail to train employees.
- Breaches often involved careless simple mistakes - small and overlooked mistakes. It can be easy to miss the low hanging fruit.
Highlights & Chapters
Ch 1: The System Is Down
High-tech solutions mean nothing if people aren’t trained. Human error keeps slipping past firewalls and AV software. Security has to be more than just tools,it needs a design and accountability mindset.
Ch 2: Data Breach Epidemic
Breach notification laws were meant to improve transparency, but they don’t fix anything. Major breaches like Yahoo, Marriott, and Uber show that without actual prevention, companies just throw money at the aftermath.
Ch 3: The Failure of Data Security Law
Breach laws fall into 3 types:
- Notification laws (tell people something happened)
- Safeguard laws (define basic protection practices)
- Litigation (usually too late and too expensive)
The book criticizes the obsession with breach response rather than breach prevention.
Ch 4: The Big Picture
Absolute security is a myth. You need to balance convenience and protection. Making security easier for users actually improves outcomes. SIM swap attacks are a good example of how breached PII feeds into bigger attacks.
Ch 5: The Data Ecosystem
Breaches don’t happen in isolation, multiple people and roles contribute:
- Designers who don’t prioritize secure defaults
- Distributors like ad networks or app stores with bad vetting
- Facilitators who unintentionally make tools used by hackers
- Exploiters who keep flaws to themselves and profit off them
Ch 6: Reducing Harm
Identity thieves are hard to catch. Legal efforts often punish the breached orgs more than helping victims. Most cleanup costs go to lawyers and PR, not security improvements.
Ch 7: Privacy and Security Need to Work Together
When privacy and security are separated in organizations, they repeat mistakes. Companies often store unnecessary data, label breaches as “privacy issues” to dodge stricter penalties, and keep the front door wide open.
Ch 8: Designing Security for Humans
Security only works if people actually use it. The more annoying it is, the less people follow it. Good design should anticipate human error and protect users without needing constant input.
Final Thoughts
Highly recommend this book if you care about what happens after a breach and you want to build your awareness of such issues that arise after a breach.