An article in Computerworld ( Link ) notes that New Zealand has shifted the burder of security responsibilty, and the burden of proof, to the customer, from the bank, in cases of alleged on-line theft or fraud.
There has been some debate on the concept. It certainly makes some sense to say that if you don't protect your access methods, then why should the bank be liable for your financial losses.
But there's also the issue of customer service. The whole point of online access is to provide additional/better customer service. Shouldn't the bank also provide adequate tools to allow their customers to operate in safety?And, what about the role of NAC and end point security in this scenario. Doesn't it make sense to check the customer's PC before the transaction is allowed?
What other issues should be considered, before this shows up in the US Congress?
Thursday, June 28, 2007
Wednesday, June 27, 2007
Privacy isn't free?
So Charles sent out a link to a few of us on an article, "Price of Privacy," from Bob Sullivan at MSNBC.com's Red Tape Chronicles site.
The article discussed individual privacy looking at the concepts of "pay to allow" and "pay to protect."
The article proves the point that people value certain personal identity "attributes" (and their values) more than others, depicted through the divergence of the dollar-values when asked to "allow" or "protect" access.
No kidding. :-)
But from a "you-and-me" perspective, I just don't see the concept of an individual pay-to-allow or pay-to-protect becoming a part of everyday life.
As the author notes in his examples, "avoiding store loyalty cards can be very expensive." No kidding. :-)
Pay-to-allow or pay-to-protect is a fun way to look back. I sometimes have a hard time distinguishing between the two.
Using the loyalty card example at, let's say, a grocery store -- And since we love bananas, I have to buy a pound of bananas every week regardless. Let's say they cost $3. If I use my Shoppers Club card, I save $.50 and pay only $2.50 for bananas. If I don't use my loyalty card, it costs me $3 for bananas.
As the concept goes, my grocery store is paying me $.50 for giving them information on my love of bananas.
But aren't I paying them an extra $.50 if I decide that I don't want them to track my purchases?
I understand the importance of the exercise, especially from the perspective of an individual who has been harmed by a breach of privacy and, from a legal perspective, and is seeking compensatory damages.
But as long as we're talking legalese -- let's think about the punitive side of the issue.
Businesses are governed, among other things, through legislation, regulation and policy, but also behave based on the risk (real or perceived) of legal action resulting in the payment of punitive damages, or bad press.
These two areas -- policy and legal -- are what will shape the face of individual privacy (not the individual themselves) in the months and years to come.
Patient information was freely shared before HIPAA.
Businesses did very little to notify individuals of data breaches until California Senate Bill 1386.
TJX's significant data loss (theft) resulted in... lawsuits. No fines that I could find. I wonder if they still qualify for VISA PCI Incentives?
The bottom line is, individuals aren't capable of managing their privacy. Not for lack of intelligence, and not for lack of trying, but for lack of the "giant centralized LDAP in the sky." The de-centralized nature of all that personal data mean the only practical solution is for those businesses (and individuals) using and storing the data to be responsible for proper handling and disclosure.
Reveal business or trade "secrets" --- go directly to jail.
Revel your customers' "secrets" --- maybe get some bad press? A few civil suits?
The only way to ensure proper handling of our data is to apply a strong "visible hand" (sorry Adam Smith) to businesses -- regulations and public policy, that have stiff penalties for data breaches.
And as a side effect, that generates more need for IT Security guys like me. :-)
...in my humble opinion.......
The article discussed individual privacy looking at the concepts of "pay to allow" and "pay to protect."
The article proves the point that people value certain personal identity "attributes" (and their values) more than others, depicted through the divergence of the dollar-values when asked to "allow" or "protect" access.
No kidding. :-)
But from a "you-and-me" perspective, I just don't see the concept of an individual pay-to-allow or pay-to-protect becoming a part of everyday life.
As the author notes in his examples, "avoiding store loyalty cards can be very expensive." No kidding. :-)
Pay-to-allow or pay-to-protect is a fun way to look back. I sometimes have a hard time distinguishing between the two.
Using the loyalty card example at, let's say, a grocery store -- And since we love bananas, I have to buy a pound of bananas every week regardless. Let's say they cost $3. If I use my Shoppers Club card, I save $.50 and pay only $2.50 for bananas. If I don't use my loyalty card, it costs me $3 for bananas.
As the concept goes, my grocery store is paying me $.50 for giving them information on my love of bananas.
But aren't I paying them an extra $.50 if I decide that I don't want them to track my purchases?
I understand the importance of the exercise, especially from the perspective of an individual who has been harmed by a breach of privacy and, from a legal perspective, and is seeking compensatory damages.
But as long as we're talking legalese -- let's think about the punitive side of the issue.
Businesses are governed, among other things, through legislation, regulation and policy, but also behave based on the risk (real or perceived) of legal action resulting in the payment of punitive damages, or bad press.
These two areas -- policy and legal -- are what will shape the face of individual privacy (not the individual themselves) in the months and years to come.
Patient information was freely shared before HIPAA.
Businesses did very little to notify individuals of data breaches until California Senate Bill 1386.
TJX's significant data loss (theft) resulted in... lawsuits. No fines that I could find. I wonder if they still qualify for VISA PCI Incentives?
The bottom line is, individuals aren't capable of managing their privacy. Not for lack of intelligence, and not for lack of trying, but for lack of the "giant centralized LDAP in the sky." The de-centralized nature of all that personal data mean the only practical solution is for those businesses (and individuals) using and storing the data to be responsible for proper handling and disclosure.
Reveal business or trade "secrets" --- go directly to jail.
Revel your customers' "secrets" --- maybe get some bad press? A few civil suits?
The only way to ensure proper handling of our data is to apply a strong "visible hand" (sorry Adam Smith) to businesses -- regulations and public policy, that have stiff penalties for data breaches.
And as a side effect, that generates more need for IT Security guys like me. :-)
...in my humble opinion.......
Subscribe to:
Posts (Atom)
