Thursday, August 16, 2007

Calif-online-crime Law

According to CSO merchants in California may end up liable for data breaches.

I think this is a good thing but I also think it is a bad thing.

Its good because a lot of large companies pay lip service to Information Security and don't take it seriously enough. This will make sure that they do. It is good because it is not the poor customer who takes the risk when he does his shopping.

Its bad because it attacks companies for essentially being victims of crime. Not does the company suffer from the crime itself but it suffers from the after effects of the crime.

On the other hand, (I think we are up to 3 by now) there is always a risk in doing business and especially a risk of crime, it has just moved online now. Companies make good profits or else they would not be doing what they are doing so they need to offset some profits into protecting themselves and their customers' information from the criminals rather than ignoring the issues and pushing the risk onto the very customers that give them money.

I guess its kinda like me locking my expensive car and keeping the keys in my pocket but borrowing a friend's cheap car and leaving it unlocked and motor running in the street because, hey, its not my car.

This law is receiving strong opposition but I think it will be passed. If it is you can bet that somehow the cost will be passed on to the customers who will pay for protecting their own information.

2 comments:

Andy, ITGuy said...

Allen, I like this law if they can prove that the retailer was really negligent in securing the data. If they have done a good job and still got owned it's a different story. There are too many shops out there that just don't do security and if they want to collect $ vis CC then they need to play in the big leagues.

Allen Baranov, CISSP said...

Andy, I thought the same but I think that it should be a risk for all stores even if they do a good job of security.

But if they do a good job then the risk of them being hacked and having to pay out is less.

Your way leads to Bruce Schneier's security theater where companies will work harder to look like they are doing the right thing so they can prove they weren't negligent and hence can shift the expenses to their customers. If everyone is at risk they will rather do the right thing and make themselves more secure so that they don't get hacked.