PC World has an article about “what the law requires of IT.” They make some interesting points, and how the law in a certain case noted that laptop encryption was not necessary. But they have other noteworthy points.
Straight off the bat, the article notes that when bank robbers stole from banks in the days of yore, people felt sorry for the banks and hunted down the outlaws. Today, we blame the banks for not providing adequate security. And I say, can you blame people for behaving this way? It’s all a matter of providing a decent amount of security. There isn’t much too protecting money: get yourself a vault and some security guards with guns. There’s not much else to do.
However, if these same banks had decided to keep the money under their respective bank president’s office sofa cushions, and that money went missing during a burglary…well, let’s say that people wouldn’t be feeling sorry for banks—and others, in addition to outlaws, would be hunted down.
Why does the public in the twenty?first century heap scorn on companies like TJX, which are technically victims of a crime? (Or, depending on your point of view, victims of multiple crimes, since it continuously for over a year for TJX?) Why do
People understand implicitly that there is a standard of security that a company shouldn’t dip below, especially in this day and age of identity theft. So when it’s reported that TJX’s C-level executives decided not to upgrade their wireless encryption standards in order to save money, fully knowing that the weaker standard posed a healthy amount of danger, well…it sounds like the company decided to forego their customers’ financial well?being for company profits. And while companies are supposed to pursue profit, this is
It’s a funny thing, though. As the article points out, from a legal standpoint, the definition of what’s the “legal standard for compliance” with data security tends to vary from case to case. For example, the case of Guin v. Brazos Higher Education Service is given as a legal precedent. In that particular case, a laptop—which may or may not have had sensitive information on it—was stolen from a
The court, however, found that
I know for a fact that the first two listed, while important overall when it comes to security, don’t have the same efficacy that disk encryption offers when it comes to protecting sensitive data after an incident like a home burglary. And it seems to me that a home burglary, while not a common occurrence for the average person, wouldn’t be unexpected, so a provision for data protection under such a scenario should have been contemplated by the company.