FTC can finally sue Businesses that fail at basic best practices for Cyber security.
-
@scottalanmiller said:
This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.
Pirating software is simply a choice that many people and companies due because they don't value the software, but they should.
I personally agree any company who doesn't follow best practices should be pressured to get up to "standard" if they aren't already (by law suit). What I don't want / hope I guess is that the FTC doesn't begin blindly suing companies of any size because new technology hasn't immediately been implemented. Even if 1 of their competitors has implemented it.
It would seem to be unfair if I worked at company A, and called the FTC on company B who didn't immediately implement the newest security measure for my own gain of possibly putting company B out of business so I have less competition. Even if company B offers a better higher quality product.
Is it fair, yeah, does it seem just, no of course not. I can see many businesses in this scenario being royally boned because of slighted competitors.
-
@scottalanmiller said:
@DustinB3403 said:
My only concern is that the FTC could very easily begin using this power to chase down SMB's who even for a lack of trying aren't capable of implementing 'Best practices' at the time of the suit.
Why is that a bad thing? That sounds like a great thing to me. Companies need to be held accountable. If an SMB can't afford to do what needs to be done, they should not be allowed to be in business.
This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.
I doubt the FTC will take the time to go after SMBs, but I think it would be amazing if they did. We need protection from reckless SMBs more than any other business category, especially as IT pros.
Yeah, I agree with this. It's funny, if you take those same SMB owners and someone starts to rip off what they are doing they will get all indignant on the thieves, but they can't simply look in the mirror.
Equally I'm frustrated by SMBs who buy a $30K printer and in 8 years are crying that they can't replace it with something new because the XP machine runs it is no longer supported, yet the only way the manufacturer has to manage the device, and the SMB is unable/unwilling to buy new equipment - Why wasn't that considered when it was purchased? Why aren't they accruing for the next purchase at the EOL of that equipment. I suppose they might say, well they life of the machine is until it dies and I can't get replacement parts - etc, etc... I'm not really sure where to go from here...
-
@Dashrender said:
Yeah, I agree with this. It's funny, if you take those same SMB owners and someone starts to rip off what they are doing they will get all indignant on the thieves, but they can't simply look in the mirror.
It's very true. It really does seem that the people most upset about being ripped off are the ones most likely to do it.
-
@Dashrender said:
Equally I'm frustrated by SMBs who buy a $30K printer and in 8 years are crying that they can't replace it with something new because the XP machine runs it is no longer supported, yet the only way the manufacturer has to manage the device, and the SMB is unable/unwilling to buy new equipment - Why wasn't that considered when it was purchased?
Because of the "Bad Management in SMB Theory." I think that i need to write up an article on that. Basically because it is bad management that almost certainly made the company be an SMB. With good management they would have stopped being an SMB, right (in theory.)
-
@scottalanmiller said:
Not that I feel that companies should not be allowed to manipulate. Marketing is all about manipulation and no one gets manipulated that doesn't allow themselves to be. So I don't feel that people should be protected from it. As long as it isn't deceptive.
So all advertising should have a disclaimer that says "Your are being manipulated to give us your money" at the bottom of the package or screen?
-
@scottalanmiller said:
@Dashrender said:
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
Actually, free market studies say the opposite. Running fast and loose is often the best way to succeed as long as there is no regulatory system to stop it. Look at Lenovo as a great example. They didn't just put customers at risk by being lazy, they did it intentionally. How quickly did even IT pros forget and/or forgive and keep recommending the product or buying them? How many consumers or businesses even understand the risk that they were put under? Very few.
The free market does not have a long memory. Companies that do things so badly as to actually cause the market to hate them and remember them (can you even think of a company so bad that it falls into this category) can easily just rebrand and do the whole thing again (Cingular renamed themselves AT&T, everyone forgot how awful they were and Windstream changed their name to Windstream because no one would do business with them under the old name, now everyone buys them again and experiences the exact same problems.)
Free markets and consumers simply don't work like this. The best way to make money in a free market is to treat customers poorly in general. Customers are not rational and do not react to bad treatment in the way that you would expect.
I did say that though - consumers have proven that they just don't care enough to remember and be aware of what they are doing.
-
@DustinB3403 said:
So all advertising should have a disclaimer that says "Your are being manipulated to give us your money" at the bottom of the package or screen?
No, by being advertising the disclaimer is assumed. It's part of the "social contract" of sales. I suggested nothing of the sort was needed.
I said it could not be deceptive. Manipulating and deceptive are completely different things. One is fine, one is lying.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
Actually, free market studies say the opposite. Running fast and loose is often the best way to succeed as long as there is no regulatory system to stop it. Look at Lenovo as a great example. They didn't just put customers at risk by being lazy, they did it intentionally. How quickly did even IT pros forget and/or forgive and keep recommending the product or buying them? How many consumers or businesses even understand the risk that they were put under? Very few.
The free market does not have a long memory. Companies that do things so badly as to actually cause the market to hate them and remember them (can you even think of a company so bad that it falls into this category) can easily just rebrand and do the whole thing again (Cingular renamed themselves AT&T, everyone forgot how awful they were and Windstream changed their name to Windstream because no one would do business with them under the old name, now everyone buys them again and experiences the exact same problems.)
Free markets and consumers simply don't work like this. The best way to make money in a free market is to treat customers poorly in general. Customers are not rational and do not react to bad treatment in the way that you would expect.
I did say that though - consumers have proven that they just don't care enough to remember and be aware of what they are doing.
You did, but it is important that we not use free market as a reason to feel that government oversight is bad. You can only have a free market with good government oversight. Do we have too much? Yes. The US does a lot of this very badly, but this isn't an example of that, I don't feel. This seems like the government getting it very right.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
Actually, free market studies say the opposite. Running fast and loose is often the best way to succeed as long as there is no regulatory system to stop it. Look at Lenovo as a great example. They didn't just put customers at risk by being lazy, they did it intentionally. How quickly did even IT pros forget and/or forgive and keep recommending the product or buying them? How many consumers or businesses even understand the risk that they were put under? Very few.
The free market does not have a long memory. Companies that do things so badly as to actually cause the market to hate them and remember them (can you even think of a company so bad that it falls into this category) can easily just rebrand and do the whole thing again (Cingular renamed themselves AT&T, everyone forgot how awful they were and Windstream changed their name to Windstream because no one would do business with them under the old name, now everyone buys them again and experiences the exact same problems.)
Free markets and consumers simply don't work like this. The best way to make money in a free market is to treat customers poorly in general. Customers are not rational and do not react to bad treatment in the way that you would expect.
I did say that though - consumers have proven that they just don't care enough to remember and be aware of what they are doing.
You did, but it is important that we not use free market as a reason to feel that government oversight is bad. You can only have a free market with good government oversight. Do we have too much? Yes. The US does a lot of this very badly, but this isn't an example of that, I don't feel. This seems like the government getting it very right.
And I didn't say this was an example of that - just like I mentioned HIPAA isn't currently a bad example of that, currently. And why aren't they, probably because they don't have the money currently to make it bad. That and doing do would probably bankrupt many small practices/businesses trying to become compliant. Though I agree that that's probably not a good enough reason to not do it.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
Actually, free market studies say the opposite. Running fast and loose is often the best way to succeed as long as there is no regulatory system to stop it. Look at Lenovo as a great example. They didn't just put customers at risk by being lazy, they did it intentionally. How quickly did even IT pros forget and/or forgive and keep recommending the product or buying them? How many consumers or businesses even understand the risk that they were put under? Very few.
The free market does not have a long memory. Companies that do things so badly as to actually cause the market to hate them and remember them (can you even think of a company so bad that it falls into this category) can easily just rebrand and do the whole thing again (Cingular renamed themselves AT&T, everyone forgot how awful they were and Windstream changed their name to Windstream because no one would do business with them under the old name, now everyone buys them again and experiences the exact same problems.)
Free markets and consumers simply don't work like this. The best way to make money in a free market is to treat customers poorly in general. Customers are not rational and do not react to bad treatment in the way that you would expect.
I did say that though - consumers have proven that they just don't care enough to remember and be aware of what they are doing.
You did, but it is important that we not use free market as a reason to feel that government oversight is bad. You can only have a free market with good government oversight. Do we have too much? Yes. The US does a lot of this very badly, but this isn't an example of that, I don't feel. This seems like the government getting it very right.
And I didn't say this was an example of that - just like I mentioned HIPAA isn't currently a bad example of that, currently. And why aren't they, probably because they don't have the money currently to make it bad. That and doing do would probably bankrupt many small practices/businesses trying to become compliant. Though I agree that that's probably not a good enough reason to not do it.
You are still assuming that, even when the government does something good, it either will do something bad with it soon and/or that it intended to do something bad but failed. How is the government ever to do something right if even when it does, you see it as the failure that hasn't happened?
Actually I think that HIPAA isn't very good. It doesn't hold companies accountable to even basic best practices and encourages them to do often reckless things with customer data. I see the lack of enforcement as a failure. That HIPAA doesn't just allow but often somehow encourages medical practices to play dumb and do insecure things because HIPAA keeps not doing more to enforce good practices makes it, to me, a failure.
The FTC could do more, perhaps, to make HIPAA have some teeth.
-
@scottalanmiller I completely hope that that FTC does and will do the correct thing with this new precedent. But I suspect that what will come from this will be more of the chase every company large and small for any penny that the govt can get.
Now, this isn't a bad this in its self, immediately as many companies will get the hint that they need to improve their security policies and practices.
But what will likely come from it is more businesses will simply try to become more deceptive about their practices because "well its to much (money, work, difficult) to (implement / keep current) with current standards.
-
@DustinB3403 said:
@scottalanmiller I completely hope that that FTC does and will do the correct thing with this new precedent. But I suspect that what will come from this will be more of the chase every company large and small for any penny that the govt can get.
But why do you suspect that? Is there a precedence for the government doing something like this? I can't think of one.
-
@DustinB3403 said:
But what will likely come from it is more businesses will simply try to become more deceptive about their practices because "well its to much (money, work, difficult) to (implement / keep current) with current standards.
Why would they get deceptive? I'm not sure what you mean. How would be more deceptive help them?
-
The precedent isn't for this exact case, but as a general practice, "We've done it before, lets go again for another round"
It's how people, not just govt function.
Do something again and again because it's the most simple and rewarding process to do. What happens to the collected monies from the sued companies, does it go towards the damaged parties, or does the govt keep it?
I'd hope it goes to the damaged parties, likely some or most of it does. But some of it definitely goes to the agents supporting those damaged parties. In one way or another. Which would lead to corruption.
-
@DustinB3403 said:
The precedent isn't for this exact case, but as a general practice, "We've done it before, lets go again for another round"
It's how people, not just govt function.
But you are talking about suing wrongdoers. How many cases of wrongdoing do you want the FTC to overlook?
-
I wouldn't say its a number of wrongdoing that the FTC should over look at all.
Nor should they overlook any if it's practical for them to enforce every possible case.
This new power needs to be applied equally, and judgement (fines) applied appropriately (to the scale of the breach, not to the size (profits) that the company makes. Not just a demand for a blank check so to speak from the defendant.
-
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
-
@DustinB3403 said:
This new power needs to be applied equally, and judgement (fines) applied appropriately (to the scale of the breach, not to the size (profits) that the company makes. Not just a demand for a blank check so to speak from the defendant.
Well that's not up to the FTC it would seem. They just prosecute the violators.
-
@DustinB3403 said:
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
I would expect a minimum fine to be very unlikely. And the later to be a good thing. Many SMBs playing fast and loose should indeed close up. That's not the kind of business practices we want being rewarded in any way.
-
@scottalanmiller said:
@DustinB3403 said:
Which I suspect that a "minimum fine" will be developed for all these sorts of cases.
Which I'd imagine would make many businesses pay the fine and close shop.
Why would a minimum fine be unlikely? There are minimum fines for DWI's, using drugs, blantant theft from a person or business.
Its all a matter of reasonable restitution. If 300 people's private information is stolen during a breach. Lets (and just for argument sake) say that the FMV of that stolen data is $5 Million . Credit value, cash, property . What ever it might be.
A minimum restitution to the allowed loss of that FMV has to exist. Otherwise the company that allowed the loss to happen in the first place (and who is at fault) could possibly only pay $100,000 fine. Or almost no fine at all.
Setting a minimum doesn't mean that it will always be used as the value at which stolen information is valued. Where fines are applied from.
It means (at least it should IMO) that if your found guilty of blantant disregard for customer privacy you will pay X dollars and UP as appropriate for the level of the breach.
Quiet honestly I'd want a 1:1 ratio of value:fine but that will likely never happen.
