It's amusing to me how the economic and cultural incentives at so many companies is to lie as much as possible when it comes to breach disclosures while pretending that you're still technically telling the truth.
I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:
On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:
1. xxx
2. yyy
The steps we are currently taking, and what you should do: zzz.
----
Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.
Probably not the case here, but the issue is with how some of the NIST standards around cybersecurity are certified. API endpoints are manually tested and then screenshots are provided. Completely manual and very inefficient and prone to human error. This is an issue of US national security, we need more skilled hackers in this space.
Unisys and Avaya are both reporting losses. This fine makes it even more of a loss. Further, if they don't mend their ways, the SEC will give them an even bigger fine.
Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues.
I feel that it is time to criminalise corporate fraud - ie executives presiding over businesses or state organizations that lie, deliberately obscure or suppress any relevant facts should expect jail time. This ought to be at similar levels of time and standards of “should know” as health and safety law.
Several recent examples would have fallen foul of this … Grenfell tower, Tesla FSD, Boeing 737max, Thames Water, United Utilities and the EA.
I agree, we already see this in the financial industry, if you don't do your part to prevent money laundering, you can be facing real jail time. It's long overdue that similar liability came to other industries, the examples you brought up show it's clearly necessary. The free market and its financial incentives alone are not cutting it.
It's amusing to me how the economic and cultural incentives at so many companies is to lie as much as possible when it comes to breach disclosures while pretending that you're still technically telling the truth.
I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:
On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:
1. xxx
2. yyy
The steps we are currently taking, and what you should do: zzz.
----
Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.
Probably not the case here, but the issue is with how some of the NIST standards around cybersecurity are certified. API endpoints are manually tested and then screenshots are provided. Completely manual and very inefficient and prone to human error. This is an issue of US national security, we need more skilled hackers in this space.
> Unisys will pay a $4 million civil penalty;
> Avaya. will pay a $1 million civil penalty;
> Check Point will pay a $995,000 civil penalty; and
> Mimecast will pay a $990,000 civil penalty.
With the exception of Mimecast, these are companies that are bringing in billions of dollars in revenue annually. How is this supposed to deter them?
Unisys and Avaya are both reporting losses. This fine makes it even more of a loss. Further, if they don't mend their ways, the SEC will give them an even bigger fine.
> How is this supposed to deter them
Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues.
They pay the penalty and they are expected fix the issue. If they don't, there will be additional enforcement actions.
Doing anything at all probably costs more than $1M.
I feel that it is time to criminalise corporate fraud - ie executives presiding over businesses or state organizations that lie, deliberately obscure or suppress any relevant facts should expect jail time. This ought to be at similar levels of time and standards of “should know” as health and safety law.
Several recent examples would have fallen foul of this … Grenfell tower, Tesla FSD, Boeing 737max, Thames Water, United Utilities and the EA.
I agree, we already see this in the financial industry, if you don't do your part to prevent money laundering, you can be facing real jail time. It's long overdue that similar liability came to other industries, the examples you brought up show it's clearly necessary. The free market and its financial incentives alone are not cutting it.