Congress is inept. I don’t say that because it’s an opinion I’ve recently come to as I adhere to this general feeling the American public has been overwhelmed with about government; it’s been a realization I had back in the early 90’s when I was first able to vote.
Let me provide a recent, specific, example.
Yesterday I received an e-mail from Norton warning me that a certain credit card company I’m affiliated with got hacked and personal information was being sold on the dark web. That was it. Nothing more specific. No indication of what actions I should or could take. And no indication of whether or not my information had been hacked nor what types of information was being sold. Nothing. So I’m thinking, as an intelligent person, as an IT professional, that I’ll go out to said credit card’s web site and see what information and/or advice they had to provide.
…nothing…
Now, there was a time I’d find this acceptable—say 1996. But in the modern day and age, I feel that it’s the responsibility of a company to take responsibility for data breaches. But they don’t. I will admit, it’s understandable, at least from the legal standpoint: don’t admit any responsibility and definitely whatever you do, don’t admit to your customers that your InfoSec department (InfoSec = Information Security) either wasn’t doing their jobs or just didn’t have the resources to effectively keep hackers out.
Frankly, I believe it’s every companies moral duty to inform customers of data breaches.
So what bothers me, what rubs me in all the wrong places, is not that companies aren’t being straight shooters with their customers. It’s that the solution to this is pretty simple: Congress must enact a law that requires any company that looses PII (Personally Identifying Information) to hackers to immediately inform customers when their infrastructure has been breached. And they must inform them in at least two ways: 1) via e-mail and 2) at the top of the home pages of their web sites.
Simple and customer centric, right? It’s simple. It’s responsible. It’s moral. Such a bill would literally be a dozen pages long (short for a legal document) and be passed in one afternoon. But nah, congress won’t do that. Congress won’t because big companies will push back with, “It’ll negatively impact the bottom line.” Well, no shit! You allowed the foxes into the henhouse!
You should be held accountable!
Over my career I’ve worked a number of companies where some random Tuesday comes along and the FBI calls us telling us our information is available on the dark web. It happens. And you know what? It happens a lot more often than most people even remotely suspect. Companies just don’t advertise it. It might, if it’s big enough, make the national news, but generally it’s swept under the carpet, like a huge pile of horse dung. And that’s not moral. That’s not acceptable. And it shouldn’t be legal.
I think of all the threats against the “free” world, the really nasty technological threats, they’re yet to come; my opinion is: we’re not ready. We don’t handle something as simple as this very well and congress sits on its collective ass, not understanding the threats. Imagine how well we’d do when our adversaries get really serious.