Apparently, 2015 is the year when everything old is new again: the encryption wars are back and gaining acceleration; TV shows and movies that were laid to rest are rising from their graves; and classic data breaches are raring their heads as well.
For example, the site databreaches.net notes that Human Resource Advantage sent an unencrypted USB stick with sensitive data through the mail. This is the sort of breach notification that reached some epic volumes six, seven years ago. Since then, less insipid data security issues have dominated the net, airwaves, and other media.
And, yet, here we are.
One of the notable things about this latest data breach is how databreaches.net covers it. If you read the short blog post out loud, you can taste the exasperation as the words make their way out of your mouth.
Understandable, when you consider that this sort of data breach shouldn’t be happening anymore. In an era when laptop manufacturers (I’m looking at you, Apple) are basically doing away with data ports because information is mostly shared wirelessly, this type of data breach stands out like a hipster with a lumberjack beard at a CPA conference. You really have to go out of your way for something like this to happen.
One could make the argument that the information was sent in this manner precisely because the current wireless interconnectedness is full of security holes. But then, where is the device encryption? The argument falls flat by the lack of cryptographic security – a basic requirement when it comes to data security.
If the companies at the center of this breach truly took “the security of the information in their control very seriously,” they certainly wouldn’t be in this debacle.
(It should be noted, though, that there is a limit to what companies can do. Their work is cut out for them if an employee decides to secretly go rogue).
FTC Goes After Companies for Misleading Consumers
Which brings me to the title of this blog post. The FTC has censured plenty of companies that make bold, misleading claims regarding their data security practices. Usually, the companies claim on their websites that they take information security and data protection very seriously.
Once a data breach hits them, the FTC investigates; if it finds that the claims don’t match up with the companies’ actual security operations, the end result is (usually) the company paying a large fine without admitting that they’re at fault.
Why is the FTC so rabid about data security claims? The argument goes something like this: Consumers were reassured by upfront data privacy promises, leading them to purchase or sign up for service. Hindsight showed that people were intentionally misled. This is no different from making false claims on the effectiveness of snake oil – and it’s the FTC’s job to pursue merchants who deceive.
It seems to me, though, that claims about “taking the security of personal data very seriously” found in breach notification letters can also be quite misleading. Often times, the notification letter’s description of the incident implies that it’s very much the opposite.
The empty reassurances, of course, don’t really reassure anyone. It certainly has not impeded the affected from filing lawsuits, probably to the chagrin (or joy?) of the lawyers who are handling these matters. But, the level of disingenuousness is indistinguishable from what the FTC takes exception to when the reassurance is made up front.
Related Articles and Sites: