The Hidden Liability Of Large Corporations

Some years ago, in the distant past, corporations gained a status under U.S. law akin to being persons. Thus they have certain rights previously reserved to humans only. One question this prompts is, what responsibilities did this also impose? Keep that in mind while reading this short essay.

I’ve been an enthusiastic participant in the IT community for many decades, probably more decades than you’ve been alive. But I’ve never been involved in the senior levels of this community. I’ve never discovered a new search algorithm, or had long conversations with Chief Information Officers (CIO) of large corporations. And I’ve never been particularly involved in the security aspects of the community. But I did learn a few things early on which should be blindingly obvious to anyone who works in this industry.

First, back up everything. In more than one place, and offline if possible. Everything. Always. Ever lost or broken your smart phone, which coincidentally contained every phone number you ever needed to know? Ever lost a hard drive which contained the only copies of every family photo you ever had?

Second, never just reflexively open an email attachment from someone you don’t know. In fact, if possible, before even viewing an email from an unknown source, check to see where it came from. If you don’t know or can’t tell, delete it. People from Nigeria don’t have the kind of money they try to tell you they’ll give you if you do X. Never share any personal details with anyone on line unless you know absolutely they’re on the level, and have a mighty good reason for wanting to know it. In fact the best course of action is to view your personal details as worth solid gold, and assume everyone you meet on line is trying to steal them from you.

Third, use a different password for every site you visit which requires a password. And don’t use an easy-to-guess password. In fact, use a password which is hard to “crack” (hard for a computer to guess). That means, don’t use common English words or names. Use passwords at least eight characters long, preferably longer. Include some lower and some upper case letters. Use numbers as well. Want to be really secure? Use some symbols, too.

This third item is the one most important for the present discussion. Recently, there was a data breach at Equifax, one of three credit rating bureaus in the United States. So far, it’s estimated that 143 million Americans have had sufficent personal details (which the credit bureaus are in a unique position to know) revealed to easily allow anyone to masquerade as these people. Just to be clear, one of these people could be you or someone you know. It’s roughly half the population of the U.S. Do you know how this data breach was accomplished? Some idiot at Equifax had a database secured with the username “admin” and a password of “admin”.

Am I kidding? No. I’m not in a position to know, but my understanding from people who know much more than I do about corporate security is that all the recent major security breaches we’ve heard about are made possible by exactly this kind of bonehead security practice.

So here you have a major corporation which has a plethora of personal details about you. Incidentally, I didn’t give Equifax this information about me. Somehow they found it out. But I never gave it to them. In any event, they have all this invaluable information, and their security practices are so bad that some idiot there allowed access to critical intimate personal details via a mechanism that any absolute beginner in the IT field would know to avoid.

Here is a huge corporation spending millions per year on IT personnel, and some (hopefully) large proportion of their IT budget given to people whose job it is to check and test their security. And this is the result. How dumb can you get?

But there’s a deeper question here. I didn’t give these people all this critical information. You didn’t give these people your information. Yet they have it. And now that it’s been breached we’ll be the ones who have to pay for any possible bad consequences (like having our identities stolen). Yes the class action suits have already been filed. Investigations have already started.

But here’s the real point. Let’s assume for a moment that this corporation is treated under law as a person, a citizen, of the United States. Now let’s assume for a moment that you gave all the information Equifax has about you to a friend of yours who swore up and down he’d keep your info safe. Then he went and did exactly what Equifax did: left a hole a mile wide in his security. And worse, someone stole the data. What would your friend owe you? What could be done to him in court? I’m not a lawyer, but I’ll bet that kind of lawsuit would be easier to prosecute than one aimed at Equifax.

Wait a minute. Equifax is a huge corporation. They discover, track and keep intimate details about you in their databases. Don’t they have some responsibility to you to keep it safe? You bet. Even though I’m not a lawyer, I’m pretty sure a case could be made that a data breach like this is a violation of some explicit or implicit bond of trust between us and them.

But the real issue is, if large corporations have the rights of persons, shouldn’t they also have the responsibilities of persons? Shouldn’t there be automatic consequences when they fail in their responsibilities to the public they service? And the larger the public they service, and the larger the corporation, shouldn’t the consequences be that much more severe?

I don’t have a stake in Equifax. I’d be just fine if their corporation was bankrupted by this debacle. If you can’t handle the trust (implicit or explicit) we’ve placed in you, then you don’t deserve to have that trust. But I think the law should be written such that a provable breach in that trust means a corporation has failed in its responsibilty, and thus loses its rights as a citizen as well.

Again, I’m not a lawyer, so I’m not familiar with the law on this. But I’ll bet money that corporations have the rights of citizens, but do not bear the responsibilites of citizens. And if so, I think it’s something we should remedy in short order.

Let’s look at it this way. Johnny works at the local convenience store, and has the keys to the store. But he forgets to lock the back door one night, and tne next day, the guy who opens the store finds everything in it has been stolen. At that point, we don’t care whether Johnny was careless or malicious. He still loses his job. There is no other acceptable outcome.