A credit card authorization company fails to protect the records of individual card holders, and a data breach leads to millions of dollars in fraudulent charges. A nightmare scenario for sure, and a real one. But CardSystems (now part of Solidus Networks and operating as Pay by Touch Solutions) yesterday agreed to a multi-million dollar settlement with the FTC. It also agreed to be audited every other year by a third-party security professional for the next 20 years. (See FTC release, actual settlement and AP story by Jennifer Kerr.) So what does this all mean?
Well, it's good for all consumers that CardSystems' successor will be closely monitored and will have a strong financial incentive to be more careful in the future. But what of other companies handling our data? Can we trust those?
In our interconnected economy, we have to trust those, and we do, every time we make a purchase with a debit or credit card, every time we buy something online, every time we accept instant credit. One could choose to operate solely with cash and a mayonnaise jar under the bed, but it would be a pretty limiting existence. (And how do you stop someone from breaking in and stealing your jar?)
So if we accept that our information is being held by all sorts of folks of which we know absolutely nothing, how do we know we can trust them? We have to think about what motivates them; profit. Is it profitable, if you're a credit-card authorizer, to suffer a huge data breach? The FTC settlement costs money, but so does the hit to your credibility with your customers; that's the nightmare Solidus Networks is having to clean up right now. I'm sure they're marketing the fact that they will be having these independent security audits to potential business partners, pointing out that their competitors likely aren't under the same scrutiny.
I'm sure it's tempting at times for C-level executives (CEOs, COOs, etc.) to ignore the CIO and decide that investing in security doesn't demonstrate a clear return on investment. But think how little CardSystems would have had to pay to secure its data; the FTC said the company "did not implement simple, low-cost, and readily available defenses to such attacks." I'm sure it regrets not making those investments now. This is something CIOs can point to in making a persuasive case for security spending, and the VP of sales and marketing might like to add that to her pitch.
CardSystems shows market pressure doesn't always work. But the FTC was able to use existing law to make a difference here, and set an example in the market to others. And look -- none of this had to wait for Congress to pass a new law.
For more on the role of government and industry in data security, see a recent paper I wrote with Orson Swindle titled "Managing Information and its Security: The Role of Policymakers, the Private Sector and Consumers." PFF will be addressing this issue in more detail in its all-day Internet Security Summit on May 10.