There is No Delight in Being Right

February 27, 2009 by ADMIN

Share |

By Laura Wilson, Information-Security-Resources.com Corporate Liability Editor

“The investigation focuses on allegations that statements made by the Company during that period were false and misleading and failed to disclose or indicate, among other things, that: (1) the Company’s safety and security measures designed to protect consumers’ financial records and data from security breaches were inadequate and ineffective; (2) the Company faced liabilities associated with a breach of the Company’s payment processing network and increasing costs associated with implementing appropriate security measures; and (3) as a result of a breach in the Company’s payment processing network, the Company was at risk of losing customers.” Law Offices of Howard G. Smith

This problem with information insecurity goes way beyond Heartland. I do not, as far as I know, have any specific, non-public knowledge about Heartland, but I do know that information security professionals in the financial industry can make informed conclusions.

This problem, this gaping maw of information insecurity that threatens our privacy, our finances, and our homeland, goes way beyond any single company.

I’ve been working for years to bring attention to the lax practices employed in protecting our information assets. My colleagues and I keep repeating the mantra that infosec breaches are the next national security, shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue.

This message has now attracted attention at the highest levels of finance, commerce, defense, intelligence, government, and many others involved in the handling of sensitive systems and data.

Now, one of the first class-action suits I have seen relating to claims of inadequate information security and the resulting harm to shareholders has been filed, and there are other lawsuits and federal investigations in progress that are speaking to the interests of customers and consumers, regulators, and other stakeholders.

We take no delight in having been right on these issues, because the filing of this kind of suit confirms that a significant breach has occurred, and many people have been harmed.

We prefer that security gaps be identified and addressed before there is a crash.

My prediction is that other companies will be involved. This does not let Heartland off the hook for whatever lapses they may have made, but my bet is that there are other weak links in the data access chain that connects to Heartland; that is, there may be joint causes and multiple weak links involved in this breach.

The message to directors, officers, managers, and others involved in this chain of sensitive data:

This is a huge problem, but certain elements are readily fixable. Fix it now, or fight it later.

Laura is a business consultant and an advocate for information security, consumer protection, long-term shareholder value, and better management decisions. Her specialty is finding and fixing risks and threats to sensitive data. Her experience includes international banking, credit card, and mortgage companies, venture capital portfolio companies, and software and technology providers. She practiced law in Silicon Valley during the tech boom and meltdown, handling corporate governance and information protection.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here: