I was recently thinking about the data disclosure breach of 3.3 million from ECMC, and as I read the article, I was becoming increasing disturbed about the lengths that companies that sustain a data breach are taking to compensate the victim. It seems as it is customary to send a letter to the victim and offer one year of credit monitoring services. This is garbage in my opinion, as many of the victims are already under a credit monitoring service from some other company and their data breach.
We are quickly heading towards two unique tipping points:
1) Credit monitoring service is not retributive justice for the violation of one's private, personal data. Sure it stings the company bottom line, but chances are, this is in a cash account just waiting for the day it may need to be used. The real victims are the one's whose data is stolen, kicked around, and ends up who knows where. So we give the victim the equivilent of a carnival prize. "Thanks for playing."
2) It appears that the information security community places a high value on private (PII) information. We spends trillions of dollars protecting 9-digit SSNs because they can easily be paired with a name as the basis of identity theft. What if we devalued this information, instead of throwing everything but the kitchen sink at it to keep it secret. Maybe it is biometrics, or maybe it is some form of smart card. I don't claim to know the answer; however, we should consider all options to protect the identity of the victims and potential victims, not the random bits and bytes that identify us.
I would be interested in hearing others' perspective on these points.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment