As I sit and prepare for the RSA Panel I've graciously been invited to by a colleague titled "GRC-201: Reasonably Foreseeable, Legally Defensible", I can't help but think about some of the companies playing fast and loose with our private information.
It's not like they're going to get burned, no, they've got lawyers for when the monkey-dung hits the fan... it's us poor saps who trust them with our information that get slammed.
What makes this worse is if you have no way of 'opting out' of using such a company's services. While I obviously can't be specific, let me just outline what I've personally witnessed, and some of the dangers of these actions... it's bad.
To start, let's make up a hypothetical company, in a totally made up industry. The fictional ACME company participates in a fictional data-brokering market where you don't have a choice to opt out.
All your financial and medical historical data is owned and brokered through this company... from your credit card history to your surgical history... and everything relevant is collected, aggregated, mined, stored and sold to other companies through this broker service.
You would think that the security behind this organization's applications would be bullet-proof... but you'd be wrong.
The ACME company has made a conscious decision, at the board level, to stick its head in the sand. After doing some rather complex mathematical calculations and figuring out what a full-scale Software Security Assurance program would cost them - versus what it costs to pay fines and lawyers - they've decided on the latter.
Hypothetically speaking, the ACME Company has decided to charge 4% additional margin so that in the event of breach or fine, there is a pool of reserve capital to draw from to pay everything to simply go away.
Now, there is the question of whether this is ethical or not - but as a business decision it stands... so what would you do? Worse... if you're the security manager or CISO - would you even stay in the job?
How about if you're one of their partners... or vendors? Simply making a calculated risk-based decision isn't enough... being responsible has to factor into the equation - or does it?
Currently I can't find any reason, legally, that ACME Company simply can't take the risk, and take its lumps when the time comes.
If there are no regulations that the company must comply with, and let's pretend that there aren't in their little niche industry, then what is to stop them from making this sort of decision and sticking to it?
If you were the security manager at this hypothetical company, ACME, what would you do? It would appear as though ACME Company is playing fast and loose with other people's money- and what's worse their personal data!
Cross-posted from Follwing the White Rabbit