Please Don't Be Like These Guys

Demand Real Transparency

Granted, I don't believe companies should post online precisely what they are doing, but some level of reassurance is warranted. Just as security-conscious organizations bound by compliance and audit requirements prove adherence to frameworks like PCI and SOC, every company should be able to articulate how they protect customer data. Individuals should apply that same due diligence when selecting services to store, transmit, and process their information—at least at a basic level of understanding.

For example, here’s something posted on an email service website (not an ad):

While they don’t share every detail, this company at least demonstrates that they are using “secure implementations of AES, RSA, along with OpenPGP.” With that declaration, I don’t have to wonder if they are relying on MD5 (not encryption) or security through obscurity. It provides some ease knowing that they are saying the right things, even if I can't fully validate their implementation. Don’t you wonder if other providers and custodians of your data are even attempting to protect it?

Physical Security Still Matters

Recently I visited and toured a medical facility that was actively seeing patients. I looked in the basement and, to my surprise, found patient records wrapped in plastic. I'm not sure if they believe the wrap will keep the files from walking away. I’m also not sure their customers would feel reassured if their data were separated from the public by a single glass door that anyone could walk along the building, smash, and make off with their medical records. It's a fact that medical records are worth more than personal details or even credit-card information. You would think medical facilities would operate better since they house such data and have been targeted repeatedly. I know this is only paper, but if they treat these files like this, just imagine what they’re doing with a patient’s electronic records, which many likely know even less about protecting.

Ask More of Your Providers

Would you be a patient at a place that treats your files like this? Well, you might be already. #justSaying! I am personally going to start inquiring more about the things I am paying for when it comes to choosing one company or provider over another for services. I don't even want to know how their electronic data is stored.

I believe in time; the best companies will prevail after breaches continue to be revealed to the public eye. People decide with their dollars. Maybe one day all data a company collects on a user will be encrypted and not just usernames and passwords. Until then, ask more questions about their practices. The old saying, “ignorance is bliss” will only go so far.