“We Take Your Security Seriously” exclaims every single company after a data breach.
No. No you don’t. Not even a bit.
If you took our security seriously you would have implemented a governance structure that prioritised the importance of our information; a set of procedures that ensure a repeatable, reliable and effective way of handling our information; and appropriate technical controls to protect our information.
But you didn’t. You decided instead that it was an expense you could do without. You asked your IT team if they were doing a good job of securing all that information, and surprise surprise, they said that they were. And that’s if you are ethical.
If you don’t pass the ethical bar, as we’ve seen with Unroll.me this week, they not only don’t take your security seriously, they actively exploit your personal information for profit. And then apologise that you found out about it.
A year of free credit monitoring is as worthless to you as it sounds. And that’s the best you will get after a breach.
It is true that on the internet if you don’t pay for the service you are the product, not the customer, but that doesn’t mean that the companies we trust our personal information with should be disregarding its value to us.
We are a strange sort of product because unlike a can of beans, we can choose to walk away to a different store.
Don’t be a can of beans.