[JacobEdelman]

Companies should be implementing good security not because of the good press it will get them but because of the bad press it won't get them.

[6d0debc071]

While I understand that that's primarily a normative statement, you have to have something significant to lose to be worried about the potential losses. It's going to make more sense, initially, for a company to invest in activities that they expected to generate revenue than it is for them to invest in activities that secure the source of that revenue. It would only be once you already had significant liabilities that it would start to make sense to invest in security, and even then only if you expected breaches of security to result in significant loss with respect to the source of that revenue (questionable, if you've achieved significant market leverage then people may not be that worried about breaches to their data. I'm reminded of this sort of thing: http://www.huffingtonpost.com/kyle-mccarthy/32-data-breaches... .)

[falcolas]

Bad press rarely costs as much as good press makes.

Plus, even bad press is getting your name out there, another form of marketing which can be spun by the company into revenue.

[JacobEdelman]

In this case I meant the bad press that results from a security leak.

[falcolas]

Security leaks are so common now as to be a non-event for 99.9% of the populace. Even I just go change a password or two and move on with my life.