|
Point by Marcus Ranum
THERE'S AN OLD SAYING, "Sometimes things have to
get a lot worse before they can get better." If that's true,
then breach notification laws offer the chance of eventual
improvements in security, years hence.
For now? They're a huge distraction that has more to
do with butt-covering and paperwork than improving
systems security.
Somehow, the security world has managed to ignore
the effect voluntary (?) notification and notification laws
have had in other fields-namely, none.We regularly get
bank disclosure statements, stock plan announcements,
HIPAA disclosures, etc.-and they all go immediately
in the wastebasket, unread.When I got
my personal information breach notification
from the Department of Veterans
Affairs, it went in the trash too.
"Your personal information has been
disclosed...yadda, yadda, yadda"-
annoying stuff that's my responsibility
to deal with because someone, someplace
else, didn't handle data about me
responsibly.We are deluged with fineprinted
disclosures and warnings, and
eventually they're all as empty of meaning as the Department
of Homeland Security's color-coded terrorism threat
warning level.
Aside from causing numbness in customers' minds,
breach notification laws don't actually do anything to
encourage good behavior; they just make bad behavior
more obvious and expensive. The theory, I suppose, is
that businesses will improve their security out of fear
of losing customers due to a breach. There are three
problems with this theory:
* Most customers seem to assume that if one bank/
brokerage/hospital/whatever can't keep its data secure,
it's likely that none of them can, and there's zero incentive
to switch.
* It's already too late. You might be able to motivate a
customer to switch providers before there is a problem,
but after there's a problem, they're goi...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ng to be more
likely to spend their time calling in fraud alerts and looking
at their bank statements than complicating things
further by switching providers.
* It assumes there is actually a free market. My Social
Security number was leaked by the U.S. government. As
much as I'd like to fire them, I can't.
All I see breach notification laws doing is informing
customers that they need to pay attention to their horses
after they've left the barn via an unlocked door in someone
else's barn. Not to over-stretch an analogy, but if you
let my horse out of your barn, it's your problem to catch
him safely and if anything bad happens to him while he's
gone walkabout, it's your responsibility. What these data
breach laws are really saying to the consumer is "our mistake
is your problem and we're bending over backwards
to make sure you know that...it's your problem."
We know that's silly.
But breach notification laws encourage businesses
and government agencies to worry about entirely the
wrong thing-they should be worrying about the barn
door. Most importantly, it shouldn't be the customer's
problem.
A lot of personal information is at risk because it is
stored in systems that are not well designed to separate
information within the organization. Some of us were
warning about this back in the late 1980s; it's a bad idea
to have your database configured so every secretary and
contractor can access any record it contains.
As long as systems are built that way, there will be news
stories such as "Bored contractors examine presidential
candidates' medical records" or "Customer database sold
by ex-employee." This is not rocket science; it's just common
sense. I'd rather have my government agencies and
commercial providers worrying about how to fix their
poorly designed systems than having their lawyers wordsmithing
breach notices.
|
 |
|
