Companies Take Heed

Corporate Ethics Must Change, Says Matwyshyn. A Wharton School professor says that corporations will have to adapt to increasing consumer savvy when it comes to the role of information security in business dealings, reports Forbes. At Defcon last week, privacy expert and Wharton professor of legal studies and business ethics Andrea Matwyshyn said: "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing." Matwyshyn studies corporate law and information technology. She says even though they are not required to disclose their security procedures to consumers, big businesses should inform customers about their security practices and threats, adding that if corporate ethics don't change, legislators might step in.

While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.

If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.