By now, you’ve probably visited www.equifaxsecurity2017.com to see if you’ve been compromised.
UGH. 143 Million people. Three Equifax execs poured salt in the wound by selling stock pretty close the the release date of the information. Everyone's a'twitter on Twitter to see if this violated insider trading regulations.
That’s when it hit me. Why aren’t companies (especially publicly traded ones, or ones that deal with sensitive personal information) required to have a C-suite level chief information officer (CIO) who is held at the same level of accountability for security and sensitive data breaches as CFOs are for business reporting. Sure, we have criteria and regulations that companies need to follow (FIPS, Common Criteria, ISO, HIPPA, etc), but what really results from this other than plummeting stocks and fines on the company itself?
If a CFO or a CEO signs off on negligent SEC filing - a whole heap of hurt will result that personally affects one or both (clawbacks and/or criminal charges). What happens with a data breach? Fines for the company? Loss of stock value to shareholders?
What happens to the individuals who make decisions that expose their customers? Get fired? Most C-suite folks are in the 1%. They are more than capable of retiring and living on an island somewhere even if they never find another job anywhere. So what level of true personal accountability is there for them?
Let’s put it all on the table - the real underlying societal issue here, is the lack of responsibility of the 1% towards the rest of us little people. This is why we have so many SEC regulations.
When we (the little guys) need money - for a home, car, starting a new business, or covering unexpected expenses - we have to take the “anonymous” mass commercial route. We have to go to banks and financial institutions, not people we know.
We don’t meet other rich people on the golf course. We don’t have brunch at the country club with financiers. We (typically) didn’t pledge with Manfred Moneybags III. We don’t have the easy connections to get personal loans and investors.
Our credit and digital identity are the only things the mass market institutions have to determine whether or not they want to part with their money. Our financial history is the only thing that determines whether we are a better bet than someone else with their capital.
If our credit goes south due to identity theft, we don’t have a bank of lawyers on retainer to take care of it. We don’t really have people who know us well enough to be able to personally vouch or to provide the financing we need.
Bad credit ratings due to identity theft is crippling. Just read this horror story. Let’s multiply this by 140+ million people. 140+ million people who are not rich or well connected.
So, yeah. When a company suffers a major breach and opens up the little guy to such pain and heartache, we should take it seriously. We should take it seriously enough to place appropriate consequences upon those that hold the power in making decisions. We should take it just as seriously as reporting financial information truthfully.
This falls to the CIO and CEO.
All publicly traded companies, and private companies that handle sensitive customer information (or provide these services (or software) to other companies), should be required to have the Office of CIO. That CIO should, along with CEO, be required to sign off on all audits and bear personal responsibility for data breaches - similar to Sarbanes-Oxley.
These breaches have to stop and they probably won’t until the personal consequences become much higher in the C-Suite. #SoX4CIOs
No comments:
Post a Comment