May Contain Blueberries

the sometimes journal of Jeremy Beker

I think everyone who reads this knows that I am a bit of a security wonk, so I read with interest an article about the latest breaches to corporate security and loss of customer data: Even Big Companies Cannot Protect Their Data.

“It’s disturbing,” Ms. Scott said in an interview on Monday. “Companies have to do a better job protecting our privacy. You would think companies like eBay and Amazon have the financial backing and wherewithal to take the proper security measures.” But the article seems to take the question to be “why can’t the companies do better.” I think that is the wrong question. The question is “why_ won’t_ the companies do better.” And I will modestly put forward what I think is the simple answer.

There is no monetary incentive to do so. (yet)

The parenthetical is my optimism that at some point it will be worth it to do it. I am not saying that there are not egregious technical lapses in many pieces of software, but solving the technical problems behind securing data is possible. How expensive it will be is unknown at this point, but I think it is absolutely true that at this moment it is cheaper for the companies to not fix it right now.

Security is a balancing act between risk and reward. In today’s market, the risks (and associated PR flak and monetary costs) are not large enough that the merchants are interested in investing more money to fix the problems. This is partly a result of the current system that the costs associated with most fraud is absorbed by the credit card companies or possibly the insurance companies if they are large enough.

Until those organizations say “enough is enough” and force merchants to invest (which will then filter down to the software companies), the merchants don’t have an incentive to do better.