Blogger: Eric Maiwald
Just out of curiosity – is anyone else concerned about how the victim is getting vilified when there is a significant loss of credit card data or PII?
Heartland may have been very dumb in the way they are handling the PR side of things but remember that they were robbed by criminals. Certainly, any company (or individual for that matter) that accepts sensitive information from customers has a duty to protect that information. However, even if a company follows standard practices, complies with regulations and laws, and takes other steps, it is still a matter of risk management. At some point, the residual risk must be accepted. When we accept risk, we are saying that there is still some chance of negative consequences. There are no guarantees that the information will be protected under any and all circumstances.
Yet reading the news stories and discussing this within Burton Group (you can see a blog post from Burton’s Identity and Privacy Management Service here), it seems that we are looking for a 100% guarantee. This makes the security and risk management equation a binary, results oriented art – either we are “secure” or we are not. How do we know we are? No incidents. How do we know we are not? Incident!
Were some of the companies that have lost PII negligent? To be honest, I’m not sure. From the perspective of folks who live and breathe technology all day long, it seems that in some cases, obvious controls were not in place (TJX and the use of WEP come to mind). But there is usually more to the question than just deploying the latest up-to-date technology. Enterprises must deal with budgets, staff resources, and other concerns. 20/20 hindsight says “obviously they should have put this item on the top of the list!” But since we don’t know what the rest of the list was, it is hard for us to make such a statement stick.
Let me take this out of the IT technology realm for a moment. Is an individual negligent if they don’t have a car alarm? What about Lojack for the car? Or one of those steering wheel locks? If the car is stolen, was it the owner’s fault? Not usually. All of those things are existing technology that could prevent the theft or quickly locate the car when it is stolen. Even in cases where the owner was dumb enough to leave the car unlocked and the key in the ignition, the owner was the victim. A criminal stole the car.
The same is true with regard to credit card data - a criminal stole the data.
PII is not a car and in Heartland’s case what they had was data from third parties (credit card holders) who had no relationship to Heartland (as opposed to an individual who makes choices about his own car). Does this increase Heartland’s responsibility and duty to protect the information? Yes, I believe that if I hold somebody else’s stuff, I have a larger responsibility than if I only hold my stuff. But I still cannot guarantee that some other person (a criminal perhaps) will not do something that I cannot control.
So what is the standard for companies that hold consumer PII? Is there a standard or due care that we can apply? If so, let’s identify it and make sure that these companies meet the standard. Let’s make that a requirement for being in business – maybe that will be the next version of the PCI DSS.
If there is no standard then each company will make their own risk management decisions. Some will say that they do not want to store (or process) any consumer PII. I see this in many of the smaller shops that I frequent – the store owner has a point of sale device that links into some payment processor (like Heartland) so that they do not have to see or store the customer’s credit card info. Other companies will implement controls to protect the PII (the processors will fall into this category). They will implement controls based on risk management decisions. Will they continue to stay in business if any breach of PII confidentiality means huge (potentially company ending) losses? Will they charge higher fees to cover the risk? Will the merchants pay the higher fees (remember that the merchants also get hit with the fraudulent charges when a card number is stolen)?
Risk management is not a guarantee. Everyone makes risk management decisions every day of their lives. You do it when you drive a car or pay with a credit card. Laugh at the folks at Heartland and others who have been breached if you feel you must but do not expect security (i.e. freedom from risk or danger) in this life time.