Friday, July 29, 2005

CardSystems made its choices clear

The chorus in favour of stronger privacy protections is getting louder. Daniel Handson, at SecurityFocus, has written an opinion piece at that website, calling for greater laws to deal with incidents like the CardSystems breach:

CardSystems made its choices clear

"... The latest news in this escapade is that CardSystems has now lost the contracts it had, and also faces corporate extinction. Now some reading this may be cheering a little, or perhaps a lot, at the karmic balance of CardSystems potentially paying the ultimate price for their cavalier attitude. However other people are suggesting that this corporate extinction might come as a result of misguided notification laws implemented in California, and that without the mandated public disclosure and the resulting firestorm of controversy, the company could have fixed its problems quietly and kept on serving its shareholders and customers. I think that both of these views are misguided and miss the truth.

CardSystems violated a contractual agreement that was put in place by the companies it served. It's that simple. CardSystems kept data in an insecure fashion, with no concern given to the minimum security and encryption standards that it was required to implement. I fail to see why legislation on data protection would change this situation. CardSystems was already required to maintain a certain level of security and failed to do that. In one report, Bruce Schneier, mentioned that this was a common problem with contractual obligations: the fact that auditing is hard. Therefore I cannot see why changing a contractual agreement into a legislated law will make auditing any easier. To draw another comparison, did the fact that they were violating laws affect the behavior of the people at Enron?

Many companies have a long way to go in the security world, and yet the one sector of our civilian society that tends to get information security is the banking and financial industry. Sure they aren’t perfect, but in my experience they are heads and tails better than almost anyone else that I deal with at understanding data privacy. In the case of CardSystems, however, the industry insisted that minimum standards be maintained, outlined what those minimum standards were, and yet much of that was ignored. CardSystems, if it does go bankrupt, will have done so because they willfully violated a contractual obligation, not because of disclosure laws, or public pressure. Would you use a company that had willfully violated previous contracts? Would you want your credit card company to supply your data to that company? I cannot see why repealing disclosure laws and helping to mitigate the lynch mob mentality that can follow a mistake changes the fact that CardSystems violated a contract, and that contract violation is what has brought about this imminent death. I await the forthcoming laws that attempt to prevent something like this from ever happening again. Meanwhile, I continue to check my credit-card statement, bank statements and never give out my Social Insurance Number (or SSN) unless I absolutely have to. I wonder if any of the legislators who are outraged by this would give me their mother’s maiden name, birth-date and the name of their first pet? ..."

No comments: