philosecurity

I just finished reading Paul Hawken’s excellent “Ecology of Commerce,” and noted a number of similarities between the environmental industry and information security. With respect to both the environment and information security, companies are not full internalizing the costs of their actions, leaving society to pay for many negative effects.

Hawken points out that “when a forest products company buys logging rights from the Forest Service at pennies to the dollar and then clear-cuts the area, leaving it degraded for the next hundred years, the “profit” from the sale of the wood goes to the corporation, but the loss of habitat and biodiversity is borne by society… The companies who practice driftnetting, sweeping monofilament nets thirty miles long through the oceans, will never be presented a bill for the decimation of Pacific fisheries.”

Similarly, organizations today are externalizing costs with respect to information collection and mismanagement. Companies collect enormous amounts of sensitive information about their customers– financial information such as credit card numbers, personal information such as social security numbers, shopping records, health records, communication records. This information is often very poorly managed and stored in many places on their network. Often, companies will claim to auditors that sensitive data is stored in a specific database, and completely ignore the fact that it is also cached in spreadsheets on employee desktops, on laptops, on the email server, and in backup tapes.

When a company sells personal data to another company, it profits from the sale but experiences no further liability, even though its customers are now at a higher risk of data theft and are never even informed of this fact. Data is often stored indefinitely, even after policy dictates that it should be deleted. If losses occur, they are often not detected; if they are detected, they are often not reported. This is because there is little incentive for companies to detect incidences of customer data loss, and even less incentive to report them. Even when regulation dictates that a loss must be reported, companies work to find loopholes and sometimes decide that risk incurred by deliberately hiding an incident is less than the definite cost of public disclosure.

If a company loses millions of credit card numbers, who bears the cost? As long as no one finds out that the company is to blame, then the customer and society bear the cost of dealing with credit card fraud. In today’s environment, companies benefit from harvesting, storing and processing consumer information, but are often able to pass costs of mismanagement, which include credit card theft and identity theft, back to the consumer. Companies are routinely able to cover up incidents and pass off risk, and therefore they achieve maximum profit when they store and sell customers’ data and do not bother investing in proper management.

Perhaps the most serious cost of information mismanagement is also the most dispersed, and the hardest to quantify. Across America, government, small businesses and corporations are dependent on IT, and store tremendous quantities of sensitive data on networks which are poorly secured. As a security consultant that has worked in many different industries over the past seven years, including finance, transportation, health, government and academia, I have seen this first hand. Nationally, we are at great risk of accident (such as the 2003 northeast blackout which was linked to a virus) and also vulnerable to deliberate large-scale attacks.

Hawken writes that “where harm and suffering exist because of market dealings– when the real costs of that market are not factored into the price of goods and services–we require the government as representatives of citizenry to step in and prevent those abuses, one way or the other.”

Bruce Schneier has called for a comprehensive data privacy regulation. While I agree that this is a step in the right direction, I have to wonder if economic solutions might be more efficient and effective than regulation. Hawken cites Pigovian taxes – the origin of “green taxes” as one economic solution to environmental problems. “Pigou argued that competitive marketplaces would not work if producers did not bear the full costs of production, including whatever pollution, sickness or environmental damage they caused. Pigou’s solution was to impose a ‘tax to correct maladjustments’ on producers, a tax that would be comparable to the avoidable cost or unborne expense. Pigou cited prematurely peeling paint on a house near a coal-fired mill as an example of an external cost that should be paid by the producer. He theorized that when the producer was forced to bear full costs, it would have incentives to reduce its negative impact, thus lowering those costs.”

Perhaps Pigovian taxes can be applied to information management in order to provide real incentives for companies to appropriately manage their data. For example, the government could tax corporations based on the amount and type of personal data stored, internal information management policies and the results of yearly information security audits.

Right now, personal information is cheap to harvest and profits are high. Companies clear-cut forests because they are able to absorb the short-term gains and pass off the long-term costs. Similarly, companies harvest information from consumers, store it carelessly and resell it, reaping short-term financial gains and passing off the costs. Using Pigovian taxes or a similar strategy, we could perhaps give companies quantifiable, assured financial incentives to reduce the amount of personal data stored, develop appropriate information management policies, and meet security standards.