Many cliches have surfaced for l'affaire ChoicePoint and the general haemorrhaging of personal data by so many careless companies: It's the straw that broke the camel's back, the perfect storm of privacy violations, the Exxon Valdez of data privacy.
But all of them miss the point. The expression that's most appropriate comes from Claude Rains in Casablanca: "I'm shocked-shocked-to find carelessness with private data going on in this establishment...." That's IT's dirty little secret, isn't it? Everyone knows about this problem but looks the other way. To be truly surprised that companies, one, could have all this personal data and, two, could lose all this personal data, is to live in a blissful place indeed. For everyone else who's paying attention, these faux pas aren't newsworthy, they're expected.
Let's be clear: Any security professional will tell you that ChoicePoint's recent security lapse was ordinary fraud.
But ChoicePoint's reaction to the breach was not ordinary, or good, for that matter. We'll leave the grisly details to upcoming coverage in CSO magazine. For now, we'll skip right to the piece de resistance: ChoicePoint's spokesperson for this incident was its CMO. A brazen choice, a cynical semaphore that said to customers and shareholders and everyone else, "We're going to spin this."
Reprehensible, perhaps, but it makes sense. It's just the logical extension of marketing's dominance over IT in the first place. Long ago, in an era called the dotcom boom, marketing finally neutered information security. Vendors promised "solutions" to Kool-Aid-drinking marketing veeps. Those veeps in turn promised to alchemize revenue out of consumers' private information. Go, said the CEO. Buy these technologies, collect this data and we shall dominate and our stock prices will soar.
It was that era's intense competition and presumption that IT could create a new economy that redrew security mores. Suddenly, market share snuffed out data safety; corporate progress trumped customer privacy. An entire industry, CRM, rose from the new mindset that personal information was somehow a thing the consumer owed the company and if the consumer decided not to share, they were taxed with higher prices or fewer privileges.
If you disagreed with the new rules, you didn't get it. If you deigned to suggest the company should slow down to evaluate risks, you were old economy. Bricks and mortar. Such a loser. Sometimes fired.
We tend to remember the over-the-top dotcom years with wry reverie, like it was that party in college that got just a little too out of hand. But the dotcom era is now showing itself to have much darker, far more sinister consequences than a few personal bankruptcies and obscene real estate prices. The ethos of the late '90s helped to build the infrastructure that has resulted in this era's gross corporate incompetency and irresponsibility. It was the foundation for tens of millions of identity thefts.
Still, so what? Lessons learned, right? Tails tucked, all these unthinking companies endure some embarrassing press coverage, hire a good CISO and go back and secure their systems now and this sort of thing won't happen in the future.
Sadly, I'm here to argue no. Companies not only have failed to secure personal data, they can't secure personal data. The range of technologies available today is in fact incapable of producing an acceptable level of security. The IT infrastructure that business runs on is so flawed, technically and socially, that nothing, no number of security products, can be slapped on post facto to secure personal data. We have built houses on promised mountains. They turned out to be volcanoes. Once you discover something like that, you have two choices: Leave or burn up. You can't make the mountain not a volcano.
Obviously, then, the solution is to leave. Do less with technology. Promise less. Store less. Create rules for personal information. Regulate it. Punish the sinners, and severely.
I understand the implications of this. It means business slows down. Costs more. Is less seamless and transparent (more igneous from the '90s). In short, for businesses, the solution to the personal data/identity theft problem will suck.
But, too bad. Once was a time in America when astringent liquor could be called medicine, and patented and sold until enough people weren't cured, and in fact were harmed. When processed meat contained rat, rat dung, poison and chemical dyes because the stockyards feared no reprisal if individuals took ill or complained. When refineries spewed thousands of tons of mercury and other poisons into the air, or piped it into streams, because it was easier for them than cleaning their effluent.
Then we put a stop to all that, which meant a lot of people who got stinking rich doing these things lost a lot of money. No matter, it was the right thing to do.
Same applies here. Protecting privacy and personal information of consumers is the right thing to do, but you'd be hard pressed to find a company, tech or otherwise, that won't fight it. They will. They'll carp about stifling innovation, claim that if they're made responsible for personal data, it will damage the economy and they'll whine that Washington couldn't possibly understand technology enough to regulate it. Car companies like to boast in commercials about all the airbags in their vehicles, but they once fought to keep them out. Even something with such obvious benefits to customers as airbags, which save lives, will meet resistance if it costs businesses money.
You see, corporations are the victims here. Yes, that's it. ChoicePoint was a victim of fraud. Lexis-Nexis and T-Mobile were the victims of hackers.
As for the millions of individuals who live with the anxiety of knowing criminal enterprises have their personal data, whose bank accounts are cleaned out, who spend months battling credit agencies and banks who have no interest and no incentive to help them. . . as for all of the real victims of corporate fecklessness, the implicit response is, to quote another French person:
Let them eat cake.