Blogger: Eric Maiwald
Just out of curiosity – is anyone else concerned about how the victim is getting vilified when there is a significant loss of credit card data or PII?
Heartland may have been very dumb in the way they are handling the PR side of things but remember that they were robbed by criminals. Certainly, any company (or individual for that matter) that accepts sensitive information from customers has a duty to protect that information. However, even if a company follows standard practices, complies with regulations and laws, and takes other steps, it is still a matter of risk management. At some point, the residual risk must be accepted. When we accept risk, we are saying that there is still some chance of negative consequences. There are no guarantees that the information will be protected under any and all circumstances.
Yet reading the news stories and discussing this within Burton Group (you can see a blog post from Burton’s Identity and Privacy Management Service here), it seems that we are looking for a 100% guarantee. This makes the security and risk management equation a binary, results oriented art – either we are “secure” or we are not. How do we know we are? No incidents. How do we know we are not? Incident!
Were some of the companies that have lost PII negligent? To be honest, I’m not sure. From the perspective of folks who live and breathe technology all day long, it seems that in some cases, obvious controls were not in place (TJX and the use of WEP come to mind). But there is usually more to the question than just deploying the latest up-to-date technology. Enterprises must deal with budgets, staff resources, and other concerns. 20/20 hindsight says “obviously they should have put this item on the top of the list!” But since we don’t know what the rest of the list was, it is hard for us to make such a statement stick.
Let me take this out of the IT technology realm for a moment. Is an individual negligent if they don’t have a car alarm? What about Lojack for the car? Or one of those steering wheel locks? If the car is stolen, was it the owner’s fault? Not usually. All of those things are existing technology that could prevent the theft or quickly locate the car when it is stolen. Even in cases where the owner was dumb enough to leave the car unlocked and the key in the ignition, the owner was the victim. A criminal stole the car.
The same is true with regard to credit card data - a criminal stole the data.
PII is not a car and in Heartland’s case what they had was data from third parties (credit card holders) who had no relationship to Heartland (as opposed to an individual who makes choices about his own car). Does this increase Heartland’s responsibility and duty to protect the information? Yes, I believe that if I hold somebody else’s stuff, I have a larger responsibility than if I only hold my stuff. But I still cannot guarantee that some other person (a criminal perhaps) will not do something that I cannot control.
So what is the standard for companies that hold consumer PII? Is there a standard or due care that we can apply? If so, let’s identify it and make sure that these companies meet the standard. Let’s make that a requirement for being in business – maybe that will be the next version of the PCI DSS.
If there is no standard then each company will make their own risk management decisions. Some will say that they do not want to store (or process) any consumer PII. I see this in many of the smaller shops that I frequent – the store owner has a point of sale device that links into some payment processor (like Heartland) so that they do not have to see or store the customer’s credit card info. Other companies will implement controls to protect the PII (the processors will fall into this category). They will implement controls based on risk management decisions. Will they continue to stay in business if any breach of PII confidentiality means huge (potentially company ending) losses? Will they charge higher fees to cover the risk? Will the merchants pay the higher fees (remember that the merchants also get hit with the fraudulent charges when a card number is stolen)?
Risk management is not a guarantee. Everyone makes risk management decisions every day of their lives. You do it when you drive a car or pay with a credit card. Laugh at the folks at Heartland and others who have been breached if you feel you must but do not expect security (i.e. freedom from risk or danger) in this life time.
As someone who has been involved in those senior level conversations about risk and PRIORITIES, this post is dead-on. Thanks for injecting some common sense into the dialogue.
No one wants to make excuses for bad decision-making, but the fact is that the old cliche is right: hindsight is 20/20.
Sometimes it’s a decision about spending time and money on actions that ensure the survival of the company, versus spending time and money on perceived future risks. Maybe that was the case with Heartland (I, too, don't have any inside info). But it’s not out of the realm of possibility - so let’s assume for a moment that it was that kind of tradeoff. In which case (if that were true) the fact that they are still a "going concern" (even after losses and fines) means they made the right call, doesn't it?
Posted by: Jack Santos | February 12, 2009 at 08:05 AM
Risk-reward analysis should be based on the known, the possible and scenario building of worst cases. We're in a financial crisis because our banking system did not always factor in worst cases. For those that hold PII of others as a service there are higher risks because of the trust and assumption of security in their business. But don't continue with bad business decisions we now have another tangible case to improve the risk analysis for those providing services. This is real and even Visa has issued an alert to help with being more transparent on the 'how' this could have happened. Encryption is far off - having deeper visibility in the infrastructure and what's changing is the immediate answer and money well spent to mitigate real threats - they are no longer perceived future threats. I think Heartland is not reacting properly to this situation and that is what bothers me, we all make mistakes but don't let it happen twice. www.solidcore.com
Posted by: kim4solidcore | February 13, 2009 at 04:35 PM