Security, Privacy, Accountability – Let the Party Begin
by Carol Baroudi & Robin Bloor
Headline: CardSystems Solutions Exposes 40 Million Credit Cards to Security Risk.
Headline: BJ’s Wholesale Club Settles FTC Charges of Creating Unnecessary Risk and Failure to Use Available Security Measures.
The emperor has no clothes. Again. The sad – but not entirely surprising – truth is that many, many companies have been paying lip service to security and data privacy. Granted, they’ve bought firewalls, installed security solutions, and said “Yes” to audit. But having dutifully talked a good game about the dangers of ignoring security threats, they are still going on their merry way, blithely ignoring the real problem. The reality is that most do as little as possible to be able to answer “Yes” to the question “Is your data secure?”
FTC to BJ’s: “Not Good Enough”
Could it be that the recent and horrifying security failure at CardSystems Solutions that exposed 40 million credit card holders to risk and led to the direct theft of the details of 200,000 cards is precisely of this ilk? It certainly looks like it. According to reports, CardSystems was using live credit card data as test data, in violation of industry security procedures. In the same week, the FTC had a few unpleasant things to say to BJ’s Wholesale Club as it settled yet another case of inadequate data protection.
The loud message from the FTC in the BJ’s Wholesale Club settlement is: “That’s not good enough.” Hurwitz & Associates agrees completely. We’re tired of organizations playing fast and loose with personal data and being all too ready to expose individuals to personal risk. We believe the FTC’s action in the BJ’s Wholesale Club example begins to answer the question of whether organizations will be held accountable to other privacy and data security regulations such as HIPAA and Sarbanes Oxley. We believe the answer is an emphatic “Yes.”
No Mean kasyno internetowe Feat
Although the FTC leveled no fine, BJ’s has agreed to do everything necessary to make itself secure – including submitting to a third-party audit every other year for 20 years. We think this is no mean feat. Technology perpetually advances, as do new, creative security threats. BJ’s will be scrutinized to ensure they’re doing the right thing. Our hope is that every organization that handles personal data is paying attention and understands its own mandate.
Right Here, Right Now
Fraud, identity theft, and security threats of all kinds – from company employees, from outside hackers, from customers or clients – is rapidly rising. Take BJ’s as an early warning and CardSystems as a call to action. It’s not a matter of “if” someone will attack your data – it’s a matter of “when.” What the FTC’s action regarding BJ’s tells us is that companies need to understand that, when they put personal data at risk, they put themselves at risk. They will be held liable. We believe that as time goes by, the penalties will be more and more severe, because the grace period is definitely over. The regulators aren’t taking ignorance as an excuse any longer. It’s time for the emperor to put on some real clothes.