Cartoon 868: Something wrong with this picture
Who decides what security and how much a business will have? The answer is the business. There is very little in the way of any regulation. Banks, the electric grid and even nuclear facilities answer only to themselves. The assumption is that the market will penalize bad decisions.
Former Attorney General Ashcroft removed the requirement businesses must notify about breeches. Big breeches, such as Target, were identified by an external party that made it public. This forced the business to admit it had a problem. Why should businesses spend hundreds of thousands of dollars on security each year? If a breech occurs they apologize, make noises they will do better and offer a free credit report. The credit report is just another tax deduction for the business. The businesses have been pushing Congress to make external party publications of breeches a crime. Companies prefer to remain silent.
A typical case is the recent credit card breech where massive amounts of cardholder data was stolen at transaction terminals. European banks have chips in their credit cards that makes this almost impossible. Congress has not made it mandatory of American card issuers. Therefore they continue in the less secure way avoiding the expense.
The Sony hack was a shock. It affected management at its core. They thought they were immune. All across corporate America executives are quaking. Suddenly security is not such a back burner thing if it affects them directly.
If government cannot (or will not) regulate the type and level of security of businesses, then why should it be held responsible for business security?
|