Last week Neira Jones tweeted:
— Neira Jones (@neirajones) November 24, 2015
To which I responded:
Quentyn Taylor made this observation in response:
— Quentyn Taylor (@quentynblog) November 24, 2015
I countered with:
Again Quentyn disagreed:
— Quentyn Taylor (@quentynblog) November 24, 2015
As this is my blog I feel at liberty to employ a measure of cognitive dissonance, and so will say both myself and Quentyn are right.
The Case For Quentyn
Many times we hear that consumers have little idea of the value of their personal data and this is sadly true. We frivolously part with it in exchange for free online services and convenience, without a thought to the idiom: “If you’re not paying for the product; you are the product”.
Price is a major factor, again ignoring the idiom “You get what you pay for”. Do we really expect our Broadband supplier to dedicate necessary resources to the security of our data when they’re the cheapest on the market and most of their budget is consumed with sponsoring X Factor?
One might argue that the free market will reward those firms who act responsibly and punish those that act irresponsibly. On a sufficiently long timeline, that may happen. Recent events appear to indicate that losing customer data does not cause companies to go out of business, and may not even significantly impact customer demand or loyalty.
An interesting attribute is that in the context of information security, the firm that loses the data isn’t the bad actor. The firm is itself victim.
All of this makes me wonder: is the responsibility for storing sensitive data simply incongruent with the objectives of a profit-driven company?
It certainly appears this is true.
Here’s Target’s post-breach share price activity as an example:
A compelling case I’m sure you’ll agree.
I’m advocating Data Breaches will increasingly adversely impact companies. This won’t happen with the current consumer mindset, but their attitude will change and there will be a paradigm shift.
As it stands, for most people data crime happens to other people, but as we reach a tipping point in the future and everybody knows somebody adversely affected – or are themselves victims – consumers will grow weary of businesses playing fast and loose with their data.
Customers will tire of crass post-breach sound bites “Your security is very important to us” and will begin to see through the dismissive and insulting post-breach press release.
Take this one from children’s electronic toy maker Vtech
Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.
Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
It is important to note that our customer database does not contain any credit card information and VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).
The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here.
Not even an apology. And it’s obvious Vtech consider the following customer information of little importance:
User profile information, including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.
Sadly, for customers this information can be wielded against them by criminals in a plethora of devastating ways, not to mention the fact that Big Data Analysis combining other data breaches, potentially allows correlation of this information with previously stolen credit card information.
Troy Hunt has written forensically on this particularly grim case.
I believe consumers will wake up to the value of their personal data and companies known to go above and beyond in Information Security will reap the rewards: Customer attraction, loyalty and business growth.
I believe customers will in the future be happy to pay the few extra shekels to go with a company that takes their data security seriously.
Admittedly, my case is a prediction for the future grounded in hope and premised on a shift within consumer attitudes, who will vote with their feet and punish businesses that treat their data with disdain.
However, I do view this prediction as a logical progression.
I hope I’m right.