'Security' Makes Me SickBy Jim Rapoza | Posted 2006-03-13 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Opinion: When it comes to security, companies are taking the path of least resistanceand getting away with it.
Imagine you went to a restaurant for dinner and became violently ill. After a little investigation, you find out that some of your food was uncooked, that the salad was prepared with a knife that had been used to cut raw chicken and that the mayonnaise in the dressing had been kept in a broken refrigerator.
With all this information, you would think that you'd have a pretty good case to get compensated for your medical bills and lost workdaysand that the restaurant would be in pretty big trouble with the health inspectors.
But you'd be wrong. Instead, the restaurant would defend its actions, saying, "Hey, we did cook your food; we just didn't cook it enough. And the cook did wipe the raw chicken knife before making the salads, but it was on his apron. And, oh, yeah, the regulations say only that we have to put the mayonnaise in a refrigerator; they don't say anything about the refrigerator actually working."
Even worse, the authorities would agree, basically saying that the restaurant doesn't need to prepare food safely; it need only make a token attempt to do so.
Imagine the outcry if something like this happened? I can already see the coverage on my local TV news: "Local judge says it's OK for restaurants to poison you. Full story at 11."
But when it comes to securing your personal data, a judge has basically decided companies can do the bare minimum or less when it comes to data safety and get away with it.
As detailed in an article on the SecurityFocus Web site (www.securityfocus.com/ columnists/387), a recent Minnesota court case involved a consumer whose personal financial information was lost by the company that handled his student loan.
It turned out that this company let an analyst load detailedand unencryptedinformation about more than 500,000 loans onto a personal laptop and bring it home.
It was no surprise that the analyst's laptop, along with the personal financial data of all those loan customers, was stolen.
After the company informed customers about the data loss, one decided to seek reparations for the time and money he lostas well as the fear that was causedas a result of the company's negligence. So he sued.
Now, it's not that this person didn't win that bothers me. It's the grounds on which the judge dismissed the case. The judge basically decided the loan company didn't really need to have good security as long as it had policies stating that it cared about security.
The judge also said it didn't matter that the data on the laptop wasn't encrypted because the pertinent law (the Gramm-Leach-Bliley Act) doesn't specify that data must be encrypted. In fact, as the SecurityFocus article points out, the law doesn't require that any specific security procedures be takenonly reasonable measures (which, I guess, means a user name of "admin" and a password of "password").
So, even though the loan company failed to meet even the most basic requirements for securing vital customer data, the judge decided it had done plenty and dismissed the case.
This relates to past columns I've written about the dangers involved when judges and politicians who know nothing about technology make decisions that have long-lasting and negative consequences for all technology.
Under the strict letter of the law, the judge probably made the right decision. That's because decisions such as this are based essentially on whether the defendant was doing what its peers typically do.
In fact, according to several studies in the last year, there are still more companies trying to get by with the security bare minimum than there are companies that take security seriously. So, based on the standard by which the judge was deciding the case, the loan company didn't do much worse than the average company.
As if no-responsibility software licenses weren't bad enough, we consumers now have to face the fact that the companies that hold our personal data can lose it negligently and not have to face any repercussions.
And you know what? That just makes me feel sick.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.