In 2013-2014, data breaches have gotten as much headline attention as ISIS, Ebola and the mid-term election. All with very similar coverage, that is a lot of fear mongering and not much information. Because I work (and have for the last decade) legal and compliance for companies where data security is a top priority as a requirement from our customer base, every time a new breach hits the news I get a ton of calls with questions and rants about what corporate America is (or is not) doing to protect against this new menace.
As long time readers know, from time to time I make a public service posts that have more to do with the latest pain in my ass than with the in house practice of law. And lucky you, this is one of them.
We need to collectively take a deep breath and stop the mass panic over the cyber breach, and really please stop sending me invitations to the sky is falling CLEs on the subject.
Look, businesses need to be vigilant and take the appropriate actions to prevent as many breaches as possible. This is a given. I have a guy at work who spends all day long (and probably has nightmares all night long) dreaming up what could go wrong and trying to make sure we've prevented it. I'm not going to give a pass to any company who puts their non-critical AC functions on the same server as their PCI data. However, treating every breach like it's all caused by gross negligence, and having an media trial convicting every company of malice and greed because they didn't do enough to keep your data safe is ridiculous. Have you kept your data safe? Really? Keep your insurance card in your glove compartment? Yes? It has your full name and home address on it. If your car was made in the last few years, it also has a garage door opener built right in. You've just given any wanna be car thief the means to rummage through your house. Keep any personal information laying around at home? Your negligence has allowed a potential data breach of your house. How could you! You should be locked up and the key thrown away! (Insert fake outrage here.)
Ya, not all breaches are created equal. And that's why the reaction and way a breach is handled is so important. And why we, the public, need to chill just a little. Did you know that there are 47 different breach notification laws in the US alone? And some of those laws conflict – in one you must notify the state AG first before notifying the public. In another you must notify the public within a given timeline (one that doesn’t give much time to coordinate with other state’s AGs). And then there are insurance requirements if you want the breach covered. Not to mention the criminal investigations and the requests from the various alphabet soup agencies. Dealing with a breach isn’t easy and it takes time to fully understand it. And quite frankly, we the public, should want every organization to be able to focus on quickly finding out what caused it and stop it from continuing without having to divert attention to managing the public panic.
As long time readers know, from time to time I make a public service posts that have more to do with the latest pain in my ass than with the in house practice of law. And lucky you, this is one of them.
We need to collectively take a deep breath and stop the mass panic over the cyber breach, and really please stop sending me invitations to the sky is falling CLEs on the subject.
Look, businesses need to be vigilant and take the appropriate actions to prevent as many breaches as possible. This is a given. I have a guy at work who spends all day long (and probably has nightmares all night long) dreaming up what could go wrong and trying to make sure we've prevented it. I'm not going to give a pass to any company who puts their non-critical AC functions on the same server as their PCI data. However, treating every breach like it's all caused by gross negligence, and having an media trial convicting every company of malice and greed because they didn't do enough to keep your data safe is ridiculous. Have you kept your data safe? Really? Keep your insurance card in your glove compartment? Yes? It has your full name and home address on it. If your car was made in the last few years, it also has a garage door opener built right in. You've just given any wanna be car thief the means to rummage through your house. Keep any personal information laying around at home? Your negligence has allowed a potential data breach of your house. How could you! You should be locked up and the key thrown away! (Insert fake outrage here.)
Ya, not all breaches are created equal. And that's why the reaction and way a breach is handled is so important. And why we, the public, need to chill just a little. Did you know that there are 47 different breach notification laws in the US alone? And some of those laws conflict – in one you must notify the state AG first before notifying the public. In another you must notify the public within a given timeline (one that doesn’t give much time to coordinate with other state’s AGs). And then there are insurance requirements if you want the breach covered. Not to mention the criminal investigations and the requests from the various alphabet soup agencies. Dealing with a breach isn’t easy and it takes time to fully understand it. And quite frankly, we the public, should want every organization to be able to focus on quickly finding out what caused it and stop it from continuing without having to divert attention to managing the public panic.
This is not to say that organizations need to step up their
game. The number and scope of breaches this year has been unbelievable. We need to be ever vigilant – the criminals
are getting smarter, better technology and they spend as much energy building
these operations as many founders of legitimate tech start ups do. Organizations need to at least endeavor to be
a diligent as they are in protecting our customers against their intent. And that may mean reassessing what type of
data we collect, how we collect it and what we do with it. But you Mr./Mrs. G.Public, need to be
diligent too. Don’t give data to
questionable sources, don’t jump to conclusions of malice and realize that for
all the convenience and low prices you are demanding as a consumer comes at a
price. Either be willing to pay a bit
more for better security or add yourself in the blame mix when your payment
data gets compromised. Oh – and stop
complaining about it to the only person you know who actually understands how
it all works. OK end rant, back to our regularly scheduled program soon.
No comments:
Post a Comment