Custodians of consumer information be it financial, medical, or PII have been given ample opportunity to protect consumers.  Industry guidelines have encouraged organizations to employ reasonable and solid security programs intended to protect the public and avoid governmental oversight and intervention.  We think it is time to wave the white flag and concede the fact this has been a failed experiment.  Theft and misuse of consumer information is not subsiding and companies are balancing the safety of consumer data with strategies that are not transparent and may not be prudent.  Furthermore a lack of transparency into what is reasonable prevents consumers from exercising their fundamental right to be informed and make decisions based on relevant data.  

If organizations are allowed to take a risk based approach then the consumer must be informed of the potential hazards.  Perhaps organizations need to publish Consumer Security Statements, intended to inform consumers of the inherent risks associated with transactions involving their personal, financial or medical information.   As we move to mobile-centric and cloud-centric business models it seems this is an appropriate step.

Maybe we need to develop a data security equivalent to Informed Consent applying it to consumers.  The consumer would be informed that an entities data security posture is provided on a best efforts basis and the concept of due care really means “we will protect your data as long as competing business priorities or budgetary constraints allow.”

In any case the current system of self-regulation and point in time assessments are not working.  While we are not fans of governmental oversight or regulation it appears the only organization truly protecting the consumer and holding companies accountable is the Federal Trade Commission.  May be the answer is to hold management to the fire much the same way we do with Sarbanes Oxley Compliance.   

Posted in: Hospitality