It’s been said that those who don’t learn from history are doomed to repeat it. In my last article, I wrote metaphorically about the medieval arms race to protect the pot of gold inside the castle from outside intruders. This time I want to draw upon history as the telescopic lens through which we forecast the journey into the future in a world full of advanced technology. Through this lens, we will see that the future is already here and history is beginning to write the same story again.
We’ll aim our history telescope backward in time to the technological breakthrough of the automobile. As with any technology, the advent of each is initially only embraced by a few, and the same is true of the automobile. While the first automobile may have been designed and custom-built as early as the late 1600s, automobiles were not mass-produced and available to the general public until the turn of the 20th century. The widespread, generalized use of the automobile came about right after World World I, thanks to the genius of Henry Ford.
Even in the early days of the automobile, there existed enough power in these “new” devices to wreak havoc upon lives whenever there was an automobile accident. Victims of such accidents were often left holding the bag in terms of the costs and consequences, as were the drivers themselves, regardless of who was at fault. At some point the repeated scenario of “cause and victim” attracted the attention of governments and the auto insurance industry was born through mandatory legislation. The ones welding the wheel of this new technology were made accountable and the ante was raised.
Shift ahead to the 21st century and we behold the power of a world full of automation, driven by the wonders of computer technology. And while computer technology is no longer new either, the global use of computer technology as the business engine fueled by its gasoline of endless data tied to the consumer is starting to have the same effect whenever the “accidents” that we call breaches take place. Governments are beginning to wake up and take notice, and questions concerning liability are starting to be asked. In effect, the future is happening now, history is in the process of repeating itself, and the ante is being raised once again.
Recently, a federal appeals court, the Third Circuit Court of Appeals, ruled that the government, in the form of the Federal Trade Commission (FTC), should be able to punish businesses that don’t adequately protect private information. The decision from this federal appeals court “clarifies the FTC’s powers, giving it more ammunition against businesses that fail to invest in their own security,” a recent Washington Post article states.
Amongst security peers, I’ve had recent discussions involving companies that haven’t yet moved to take ownership or taken very seriously their responsibility to protect consumer information. The most well-known and publicized is the Wyndham Hotel Group which was sued by the FTC in 2012 for multiple breaches and for afterward (1) not taking significant steps to prevent future breaches and (2) misrepresenting that they had (when in fact, they had done essentially nothing.) The aforementioned Washington Post article points the telescopic lens back, stating:
Wyndham did virtually nothing to secure its systems. It did not use encryption, firewalls or other basic security measures such as requiring employees to use strong passwords. Wyndham’s actions were “unfair” and “deceptive” toward consumers who were led to believe they were getting an adequate level of security, according to the FTC.
Legal precedent has already been shaped in this recent case of the Wyndham Hotel Group and was leveraged in the recent generalized ruling that the FTC does in fact hold the power to continue sueing and holding accountable companies that don’t take the security of private data seriously.
As with the past problem of the automobile, the power of welding the wheel of consumer data on the information highway and not taking reasonable protective action is now gaining authoritative recognition. “We’re still trying to find budget” likely isn’t going to remain a defensible position against the backdrop of knowing your company and the data you hold still remains vulnerable. For those who continue to drive their businesses forward without protecting data, those businesses are going to be made liable. Our history telescope is accurately forecasting a “new” IT Security future: businesses effectively now must take ownership must become accountable and must take action or otherwise face the very real possibility of significant legal consequences.
Make no mistake, many corporations have taken notice of a new and emerging liability landscape and are taking action. Many CISOs now sit at a peer level with the CIO and other C-Level members and have direct access and accountability to the board. IT Security spend has board-level oversight and easy approvals in a growing number of companies. So, many companies are taking ownership and accountability themselves. But for those who are not, the door is closing on the time when you can decide to turn a blind eye to the issue of vulnerability and simply wash your own hands of the issues, leaving the victim of the consumer in your wake and holding the proverbial bag.
To where is all this driving us? Time will continue to tell, but if history is any clear indicator of the future, it doesn’t take prophetic insight to see measures will increasingly be taken and the ante raised to protect the consumer from those driving on the road to profit with gas tanks full of private data. The time has come to take data security seriously, recognize the lack of industry-standard controls such as data-at-rest encryption as gaps, and take ownership of these gaps in strengthening your security posture, or otherwise face consequences that will very likely be detrimental to your business.