It’s Time to Pay the Piper

By Michael Starks

Why do companies keep losing our personal information? That, of course, is the billion dollar question. Theories abound, and while we all theorize about the causes, data is still being compromised at an alarming rate.

Allow me to add to the theorizing, fully aware that this is going to sound a bit unconventional. What follows is not so much a concrete theory and solution, but an offering for creative thought. Here’s my take on one of the main reasons breaches happen, followed by a crazy idea about what we can do about it.

Breaches happen because companies are only looking out for number one.

Sorry, you’re not number one. They are.  You are but a meaningless number in a pool of data. They have no attachment to you as an individual and only view your risk as a function of their own. If your risk doesn’t factor into their own, it is casually disregarded. In the event of a breach of your personal information, they will act in their own self-interest. They are unlikely to compensate you for your time, stress, loss of work or anything else directly related to that breach. You get the short end of the stick.

That’s the bad news.  The good news is that it doesn’t have to be this way.  We can change things.

Payment is Past Due: The Action Plan

When our personal risk becomes a real economic factor in the risk of someone holding our information, the balance of the scales will have tipped. Since it is unlikely that companies will find incentives to factor in personal risk, they need to be persuaded through personal privacy and data security legislation.

It might work something like this.  From the multitude of breach statistics collected, we develop a profile of the harm done to a typical person after a breach of a certain type. One would expect, for example, that a lost social security number be more personally harmful than a lost credit card number. That breach profile is then used to assign relative security requirements to companies that wish to deal with that aspect of your data self. The more personal, static and valuable the information, the more stringent the requirement.

To validate that the data is sufficiently protected, the company will be required to undergo independent penetration tests. Audits, while sometimes helpful, are insufficient in that they primarily measure compliance and not the ability to withstand attack. We need to know how safe the data really is.

Here’s where the rubber meets the road. For every failed test, the company will be required to pay premiums to those whose information they are not adequately protecting, proportionate to the amount of risk the test reveals. In traditional insurance models, the insurance company holds risk. You pay them to assume that risk. With this model, the company is putting you in a similar position of risk. Doesn’t it follow that you should be similarly compensated?

In this paradigm, the company doesn’t get to wait until the information is actually breached. They lose the ability to roll the dice, and hope everything is going to be OK, while you remain at risk They face actual consequences, not just for breaches, but for creating circumstances predisposed to a breach. And with ongoing consequences for doing a poor job of protecting information, it then becomes in their best economic interest to get and remain secure.

By now you are undoubtedly thinking thoughts such as, “this won’t work because..” or “but what about.” Good. The idea wasn’t so much to offer a single solution to a complex problem; rather, it was to spark realization that we can change the rules of the game. No longer do we have to be victims. What are the problems with my proposal? How can it be re-worked? What ideas do you have to win back your identity? Throw me a comment or let’s chat in the forums.