Let’s face it. Security is a hard sell. The customer buys a strong product, implements and supports it correctly, and if all goes according to plan… nothing happens. The fact that nothing bad happens either is critical, of course, but reporting that there’s no bad news doesn’t exactly instill enthusiasm in the boardroom or generate promotions.
The economics of security have been on my mind as I’ve been hearing some of the debates around privacy and security that have been garnering such widespread attention in recent weeks. Whether it’s the case of Apple and it refusal to create an encryption back door on its phones, or VTech’s revision of its terms of use, there are some pretty compelling cases playing out.
Click To Tweet: Security & Privacy - Apple fights, VTech waives responsibility bit.ly/25H9Rwz pic.twitter.com/Xl7D4sYDrf
Apple and VTech: A Study in Contrasts
While I don’t think you could have missed the Apple story, you may have missed the latest on VTech. As reported in a recent article in The Toronto Star, VTech, the victim of a massive breach back in November 2015, has changed its terms of use. While I have no law background, I think I can confidently provide the following synopsis of the new wording: “If you’re going to entrust us with your children’s personal information, good luck. We won’t take any responsibility for its security.”
The contrast between the two companies’ stories is interesting. On the one hand, you have a company in Apple that has invested significant effort and resources in order to establish strong controls and privacy through the use of encryption. Then the US government asks for the creation of a backdoor that will undoubtedly weaken security, and diminish the value of Apple’s investments.
On the other hand, you have a company in VTech that by most accounts didn’t invest much in security to begin with, failing to encrypt data and placing weak protections around passwords. Not surprisingly, they get hacked, and their response is to do what they can to protect themselves from any responsibility in the event of future breaches.
Since the FBI found an alternative path to gain access to the iPhone in question, we will have to wait for the FBI to find another high-visibility case to try to set precedence with. However, I’m just as concerned about the precedents that the case of VTech may set. If the company’s new terms and conditions effectively shield it from any recourse of customers whose data gets stolen, what’s the moral of the story for business executives? Why even try and invest time and money in robust security, if you can waive any responsibility for the customer data you’re managing?
VTech and the Economics of Security
Fundamentally, security investments are business decisions. Decision makers have to assign a cost to the business’ risk, and then use that as figure to determine what level of security investment makes financial sense. Organizations like the FAIR Institute and The Open Group have established detailed frameworks for making security investments and decisions based on objective calculations of risk. When calculating risks associated with a data breach, a big part of the costs are associated with the specter of a civil suit, which entails not only a potential judgment or settlement amount, but the significant legal costs and the continued negative publicity associated with a civil case. If businesses can effectively block their exposure to civil suits stemming from data breaches, the risks get reduced. This means investments get reduced, and breaches inevitably will follow in greater number.
The Star article mentions that, after the Adobe breach in 2013, the Privacy Commissioner of Canada ruled that an organization’s terms of use can’t override Canada’s privacy laws, so VTech’s approach may grant it limited protections in the end. Still, it’s a scary prospect to think others may follow VTech’s lead.