Being compliant with regulatory or contractual security compliance requirements removes the social stigma of suffering a data breach. I wonder whether following such requirements leads some organizations to have weaker security than they would have had otherwise.
Compliance and Data Breaches
Consider a PCI DSS-compliant company that suffers an intrusion that compromised payment card data. The company can explain to the public that its compliance status demonstrated that it had implemented the controls that the society (and the card brands) expected of it. The compliance status can protect the company from a public outcry and minimize the short-term losses to brand equity. Being able to demonstrate compliance may also help in fending off the lawsuits associated with the data breach.
In the example above, compliance partially reduced the need for the company to consider additional measures it should have taken to secure data. There’s also a psychological reason for companies staying within the “safety” of compliance and not considering additional risks to the business or its customers.
Social Norms vs. Market Exchanges
Dan Ariely’s book Predictably Irrational suggests that people’s decisions are driven by two distinct perspectives: one characterized by social norms and the other characterized by market exchanges. Sometimes market exchanges (e.g., monetary fines) can be less effective than societal norms at encouraging the desired behavior.
Dan described a study that explored whether “imposing a fine on parents who arrived late to pick up their children [from a day care center] was a useful deterrent.” Interestingly, once the fine was imposed, the number of parents being late for the pick-up increased. Dan explained:
"Before the fine was introduced, the teachers and parents had a social contract, with social norms about being late. Thus, if parents were late—as they occasionally were—they felt guilty about it—and their guilt compelled them to be more prompt in picking up their kids in the future."
"But once the fine was imposed, the day care center had inadvertently replaced the social norms with market norms. Now that the parents were paying for their tardiness, they interpreted the situation in terms of market norms. In other words, since they were being fined, they could decide for themselves whether to be late or not, and they frequently chose to be late."
Security regulations encourage companies to consider protecting data from the perspective of a market exchange (e. g, a fine for non-compliance), instead of meeting the obligations mandated by social norms. As a result, the companies are unlikely to see a reason for implementing security measures beyond the generic bare minimum controls required by regulations or standards.
Beyond the Generic Bare Minimum
I am not advocating that we eliminate security regulations or standards. After all, they were enacted in response to organizations’ inability to make adequate data security decisions on their own. However, the individuals managing security risks within a company should remember that being compliant does not address all the security risks to their business and customers.
Companies have the obligation to themselves and their constituents to consider what additional controls may need to be implemented beyond those mandated by regulations or standards. I say this while realizing that I’m being too optimistic about the majority of companies actually caring about their social obligations.