Security · Soapbox

¤/(&/!”#¤ Crappy Security

How many lifetimes of ‘free credit monitoring’ do I have already? Companies aren’t going to fix their security problems until it costs them money.


Every time these corporate ostriches get breached and there is a class action law suit, there is a very predicatable sequence of events. I get compensated with free credit monitoring and possibly a coupon for more services from the company that just screwed me over. The lawyers get paid in real money. The company takes a tax deduction and nothing ever changes.

Why does it continue to happen? This most recent revelation of how bad security is says that 50% of all mobile banking apps are vulnerable to cash loss. So they will get hacked and our data will get stolen along with our money. It will all end up on the dark web. We will all get yet another year of ‘free credit monitoring’. I think I have enough years now to last a small village through a couple of life times.

Some law firm will file a class action law suit. It won’t actually go to court. It will get settled so that the asshats who are responsible will never actually be accountable. To compensate us, we will get some ridiculous coupon for some worthless service like vanity checks from the bank and yet another year of free credit monitoring. Meanwhile the law firm will get paid in real dollars and it won’t be a trivial sum. The company won’t admit any wrong doing and business will resume its shoddy security since the coupons and the credit monitoring all get calculated in to their overhead.

Here’s how we fix this crappy system. First., we need to address the problem with how the lawyers who are SUPPOSED to be looking after the interests of the class get paid. Let the lawyers get paid in the same way that the members of the class get compensated. If coupons are good enough for my damages, they should surely be sufficient to compensate the lawyers. If a year of credit monitoring is sufficient to make up for my data being spammed around the planet, then it should be sufficient compensation for the lawyers. If we align their compensation with mine, then we get a bit closer to aligning their interests with mine. This should make the cash payouts start happening and put an end to these meaningless tokens.

Lets look at what is involved in that coupon. Standard retail markup is 150%. Lets say its a $10 item. That means the cost to them is really $4. Not only do I get stuck with a coupon for the company that already screwed me over, but the entire settlement is discounted by whatever their margin is, which at consumer retail, is pretty big. If the class has a 100,000 members that means I can settle this for $400,000 of real cost instead of the $1,000,000 that I will write off as lost revenue.

Next we need to fix how the business are penalized for a breach. Tie data breaches to the executives’ not getting bonuses and watch how rare data breaches become. When we bailed the banks out of the housing crisis, the payback of the bail out money was tied to exactly this. No executive could get a bonus until the bail out was paid back. That bail out money got paid back in record time. Let all the boards and executives know that if they have a data breach they will not get their bonuses for 5 years. If they have a breach and don’t report it, they don’t get their bonuses for 10 years. Since this involves a lot of financial stuff, we can invoke SOX, and GLBA to send send them to jail after we take away their bonuses because they will have had to cook the books for it to remain unreported.

Why am I so adamant about this? Because we keep finding out that the corporations knew about their security problems for months or even years. It was difficult or expensive to fix so they chose to ignore it. Instead, they calculated the probability of it catching up to them, totaled up the dollar amount it would cost them in the event that did. Based on the pittance it was going to cost for the coupons and free credit monitoring, they decided to let the rest of us just suck it. If Home Depot alone had to pay me my hourly consulting rate for dealing with getting all my credit cards replaced because of their cheap crappy security, it would be a lot more than a $20 coupon to the garden center and a year of credit monitoring.

Leave a Reply

Your email address will not be published. Required fields are marked *