FTC Commissioner: “Somebody has got to pay”

FTC Commissioner Orson Swindle goes off about corporate data security practices. Internet News quotes him as saying “industry has, to a great extent, been irresponsible, and somebody has got to pay.” The article also quotes him as saying the lax data security practices are “being driven in part by those general counsels who sit around and say, ‘Be careful about what you promise in privacy and information security because you might get sued for it.’”

This is complete BS. In-house lawyers are paranoid about being sued for lax data security practices, a fear exacerbated by outside counsel using scare tactics to drum up business. So the (lack of) promises in corporate agreements reflects the fear of being sued, but I would be shocked if in-house counsel kick up their heels on their desks and think “I’ve drafted a tight agreement, my work is done.”

Entrust’s CEO offers a solution: a safe harbor from liability if a company complies with good housekeeping practices. Of course, Entrust’s self-interested solution is that companies should use encryption to get the safe harbor. However, I don’t know how legislators can mandate the minimum standards for data security; security practices are fluid and context-specific.

Admittedly, without any liability, there is the theoretical risk of corporate sandbagging, but my guess is that this is not anywhere close to the problem. The problem is that good security is HARD—it’s an ongoing effort, with weak links both in the technological interactions between different vendors’ products and in the humans in charge of maintaining security. If we accept that security is hard, doesn’t that seem like a more likely explanation for “lax” security practices than GC indifference?