Are sloppy security controls actually beneficial to a company during a breach?  This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times. A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly