Thursday, 30 July 2009

Heartland Payment Systems: What went wrong and why we need the Transportation Safety Board for Data

I am really looking forward to hearing the CEO Heartland Payment Systems discuss the details of the intrusion that stole masses of payment card data. Bob Carr will be giving a webinar on the topic and the subsequent steps they have taken.

Consider what would have happened if this were incident that had occurred in the airline industry. We would expect a team of accident experts from the TSB to perform a detailed open enquiry into the matter, come to strong conclusions about what went wrong and why. They would also disseminate all new knowledge and best practice to be mandated throughout the industry.

For a data breach we get is a webinar. Simply “candid” webinars with CEOs of companies who have been breached is just not good enough. We need publicly funded and accountable organizations to pick through the burning rubble of yet another data breach and force the industry to improve.

Openness and learning lessons from the mistakes of others is the norm in aviation. Aviation regulations are also much more rigorous and are often written through exceptions. For example Rule Zero: No one may fly. Rule One: ... except if you are a registered compliant airline. Rule Two: ... except …

The data world needs similar culture and framework. Perhaps we could start with– Rule Zero: no organization may hold data. What do you think Rule One: should be?