I’ve wondered about this for awhile now. You may recall the early massive data losses at major retailers, online services and the like – there was significant uproar over lapsed security and insufficient steps that had been taken to protect information on the systems.
In some cases, new best practices were conceived out of the mess. In some cases stock prices took a hit and corporate personel were dismissed.
In short, it was a big deal.
As it should be, IMHO. If you’re not doing all you can, if you don’t have best practices in place and reasonable, expected protections, there should be repercussions.
But now, it really does seem like we’ve entered this “ask forgiveness rather than permission” phase of dealing with incursions and hacking. Where things could have been done, where steps could have been taken, they weren’t. The company reports it, everyone gasps “omigosh, can you believe it, another one?!?” and the company apologizes.
I saw this post to Techcrunch talking about preventing, rather just reporting breaches, and it’s clear that others are thinking the same types of things.
It’s not all about punishing those that could have done something. Rather, DO THOSE SOMETHINGs. It’s about responsibility and data ethics and the need for fighting for protection of information and systems. It’s about pushing forward on what you have in place now to make it better tomorrow.
There are so many breaches, and people just take it in stride at this point. From the post:
“The efficacy of state breach notification laws is debatable. A recent RAND survey found that more than a quarter of U.S. adults received a breach notice in the past year, and 89 percent of them continued to do business with the company that reported the breach.“
Now, I’m not calling for boycotts or whatever. But I do think the emphasis on the end user and not on the root cause or the expectation of practical protection, etc. – those things that can prevent this in the first place, is an issue.
If you’ve taken on the responsibility for information systems (or even AN information system) protecting that data and working to prevent these types of things is just part of the gig. I do realize no one is perfect, but the expectations of due diligence and protection seem to be almost lessening, rather than improving.
It’s so easy to say “sorry” that fewer people feel compelled to paying attention to preventing the issue in the first place. I hope that emphasis changes and that data professionals will push to continually sharpen the sword to protect systems and information.