Public shaming may have fallen out of vogue, but now is as good a time as any to rethink a punitive tradition that is at least as old as the Puritans, especially where data privacy and security breaches are concerned.
In fact, it was with a bit of shame (and grumbling and churlishness) that I became a Facebook fan this morning of Data Privacy Day 2009, which is today (more grumbling).
I'm not quite sure how one observes this blessed event -- anyone wanna swap USB drives or RSA tokens? Do we test each other's password strength? Offer complete strangers money or candy for their PINs and SSNs?
The fan page doesn't exactly say. There are events I could attend, were I in Washington, San Francisco, or Philadelphia. But otherwise this PR stunt (orchestrated by Intel, the International Association of Privacy Professionals, Duke University, Google, Microsoft, and something known as a Womble Carlyle, among others) is the data privacy equivalent of buying the world a Coke. And about as satisfying.
"National awareness days are useless. Even the ancillary press they generate for their sponsors does nothing to enhance their image of being secure or associated with good security," said Richard Stiennon, chief research analyst for the consultancy IT-Harvest, in an email today. "There are negative repercussions as well. Security decision makers view publicity events and awareness campaigns as admissions of defeat: 'We cannot provide technology to solve the issue so we are reaching out to everyone to get them to stop doing stupid things.' "
Others may counter that anything that brings awareness and attention, particularly when it involves end users, is worthy of support. I agree, but only to a point -- and this is where I think public shaming may have some value. Financial services outfit Heartland just unabashedly reported the potential exposure of as many as 100 million credit card numbers after it found spyware in its systems. Whoops.
"Sorry for any inconvenience. We'll try harder next time."
The fact is, companies that experience these fantastic data gaffes aren't penalized or punished, or if they are, it's a light slap at best. TJX is a great case in point and there's no reason to think that Heartland will be much different. Maybe there will be some short-term tarnishing of the brand name; the share price may fluctuate (but these days, who'd notice?).
Is this a case of blaming the victim, or worse? CIOs may lose their jobs after such breaches. Is that a sufficient warning to organizations -- in its own way, a public shaming? Maybe such incidents should require the CEO to face down a public tribunal -- shareholders, customers, district attorneys looking to make names for themselves. Reporting and disclosure issues aside, the penalties are pretty meager given the scale of these incidents. A little shame on them might prompt a harder look at the tools and systems (and vulnerabilities) in place.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. Register here to join the Security Clan and for a chance at all kinds of free stuff.
I didn't intend to try and put words in your mouth, Terry. Sorry about that.
Government cases are especially concerning, that is very true. Law enforcement breaches could be disastrous--going well beyond financial penalties.
I rather like the idea of the credit agencies having to modify their behaviors after a breach--particularly for those individuals whose credit reports are vulnerable after the disclosure.
Perhaps it is time to put the onerous burden of disclosure on 3rd party firms that store personal information--if I maintain a file on you, I have to tell you. At least then the individuals could know if they are at risk after a breach.
Thanks for that personal anecdote, Mike... the stick I have in mind is not credit bureau reporting fees paid by taxpayers indefinitely (or even at all). The case of government agency sloppiness is more troubling than corporate breaches in that apart from firing someone or re-assigning them, there's not much organizational incentive to make sure data isn't exposed. We can't exactly suspend or fine the VA, can we.
I understand what you're saying, Leland, but this is a tricky one in that Heartland is a clearinghouse for the card-issuing banks. Heartland can't really suspend its clients, nor the reverse, unless banks and their retail clients somehow do multiple sourcing on these transaction approvals.
But if I understand you correctly, financial institutions that are quick to suspend, assess penalties and interest, or cancel accounts outright ought to be subject to some similar draconian punishment when they drop the ball this way. I'm not holding my breath on this one; the rules will continue to protect those with the power.
Great idea, GajaKannan... not just all the "C" level execs but also all the directors on their board, and at least one family member of each. The prospect of ensuring the company feels the same pain (and spends accordingly to circumvent or minimize the possibility) can only improve the record here.
Actually, a few years ago it was customary in the Far East that the executives of a company whose data had been breached appeared before the board, hanging their heads in acknowledgement of public shame.
I remember a few years ago, the Veteran's Administration has a laptop go missing, with a large file containing my personal information. They responded by paying for me to be added to a credit monitoring service, that is still running today.
My first thoughts about this were how was that data allowed onto a laptop in the first place. Then I thought about the tools that were available to me, and with little effort, I could have some confidential information on my laptop easily enought--with good intentions as part of my market analysis work.
I've recently realized that I am paying for that credit monitoring service still. Not directly, but tax dollars sure are. And I'm a taxpayer, as the politicos keep pointing out to me lately. The problem with financial penalties, or any penalties that upset service, is that someone else usually ends up footing the bill.
Or even worse, things go unreported, and the threats go unnoticed by all of us.
Perhaps shame is good, or a bonding type of solution. Or perhaps an industry that insists that my private information really belongs to them, had better create stronger security alliances that work with law enforcement and do a better job at protecting our data than PCI. A legislative or punitive solution might not drive us the right way, but an industry solution that gives an institution some marketing capital for ongoing work on evolving security solutions proactively (like the bad guys do) might instead work better.
If the carrot doesn't work, there is always the stick. Let's just be sure we are all willing to pay the price.
I agree putting teeth in penalties is the way to go. Unfortunately blocking their services may penalize those who wish to use them. Perhaps if there was an automatic dollar credit to all existing customers, that would get the company's attention and would at least offset any concerns other customers might have.
Public scrutiny can be a very compelling antidote. There should be more public humiliation and perp walking. Soiled reputations and red faces many times do not serve the proper deterant. In this case the horses already left the barn.
Former CEO of Merril Lynch, John Thain, publically apologized for his $1.2 office renovation (despite a record $14 billion 4th quater loss) and after Bank of America acquistion of M.L He promised to reimburse B of A.
He will however be able to keep that $35,000 toilet.
Well, I think stoning, drawing and quartering, or pillorying them would be appropriate. The notion that the consumers have to watch their credit reports after a stunt like this is just bizarre. It seems to me that the credit card issuing banks should be just a little more concerned about security breaches like this.... and if there's any suspending to do, they'd be the ones to do it....
I think a better policy that will have some teeth is that, all the companies that handle someone else data should also put their CXO(CEO, CFO, COO, CIO, etc.,) credit card, their home address, health information, etc., in the same system where they host their customer's information. If they do, I am sure each IT departments will take all the precautions and measures to ensure the customer data is not compromised...
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
If you were serious about good dental hygiene, you wouldn't floss, brush, then gargle only to tear into a package of Oreos five minutes later. Why, then, are so many of the world's biggest companies essentially doing the same thing where enterprise security is concerned?
Since security startups that scan baggage and passengers are all the rage now, this is probably as good a time as any to reconcile ourselves to racial profiling and other stereotyping that will come with them.
Google (Nasdaq: GOOG) is engaging in some very high-stakes gamesmanship, and it's picked an appropriately formidable opponent in the shape of the Chinese government.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Techies are going crazy over the possibility that Google might design and sell its own Android phone. Some writers say it's a very big deal. Reiter questions whether it will happen and, if it does, whether it even matters.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
The FCC is throwing money at rural broadband empowerment, but it's dealing with the wrong problem. The real issue is how we get users who could get broadband but choose to reject it to change their minds. The answer lies with mobile technology – but it may surprise you!
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
China is investing heavily in fiber to the premises to propel itself into the world broadband Internet first division. What's it deploying, and what's it going to do with all that bandwidth?
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
