I was recently listening to an analysis of the Target security breach on
NPR's On Point with Tom Ashbrook (On Point). One of his guests for the show was David
Lazarus who is a consumer columnist for The Los Angeles Times. Mr
Lazarus had written an article that took the position that companies are
willfully leaving customer information vulnerable to disclosure because the
cost of securing the data is too expensive (Lazarus, 2014).
Mr. Lazarus makes a valid point when he indicates that it is expensive to
secure networks and data, and it is indeed a business decision to balance
between security and usability or availability. Unfortunately, in
my opinion, he jumps off the track when
he suggests that organization can deploy a multitude of security mechanisms to
provide absolute security.
As I am sure you are aware, every security technology has inherent vulnerabilities. Every
tool that is introduced into a network can and with enough time will be
defeated. In other words, there will never be perfect security in a
network designed for commerce. Even encryption, which some tout at the
holy grail for securing data, has vulnerabilities that allow for the
possibility of its defeat.
It is true that businesses are collecting more and more information from its
customers. Many are asking for email addresses, telephone numbers, and
other non-financial information at the point of sale. Others are offering
club cards, memberships and discounts which collect the same information.
This information, while innocuous can be a rich target for hackers and identity
thieves. What is often forgotten, or perhaps overlooked, is that none of
this information is needed to complete the transaction. Customers can
simply say no, refuse to provide their email, or telephone number, and simply
complete the transactions. This might mean that you are not able to
receive a discount on your purchase, or miss out on special sales, but your
information will be just a little bit more secure.
I do support, as I have previously posted, the idea of assessing a fee to
organizations that experience a breach, perhaps with a sliding scale if it can
be determined that the organization was negligent in providing security for its
customer data, but I would be caution of making the fine so high that it
becomes a deterrent to reporting. I also feel that any fines collected
due to a breach should be used to create a "super fund" to provide
monetary support for consumers that have their information compromised as a
result of a breach, provide funding for research and education and for the
identification and prosecution of cybercriminals.
To me, the most unsettling fact about the recent string of breaches is the
time that elapsed between the initial breach and the organizations public
notification of the breach. There is no reason that an organization
should be sitting on a known breach for four weeks, without providing
notification to those that were affected. That to me is unconscionable
and should be a primary concern for our legislature to address.
The bottom line is there is no such thing as personal security, consumers
need to revalue their personal privacy and control how it is distributed,
organizations need to voluntarily disclose data breaches in a more timely
manner, and as a nation we do need to examine a comprehensive breach
notification law.
No comments:
Post a Comment