Is it Sometimes Better to be Unaware of Your Vulnerabilities?
As I was writing about the hack of LPL Financial’s BranchNet system last week, I couldn’t help but wonder if the Securities and Exchange Commission would have been less harsh on LPL if the company hadn’t known about the vulnerabilities in its system.
In short, LPL Financial performed a security audit on one of its Internet-facing trading systems. The auditor’s report included details of a number of significant shortcomings in the system. BranchNet had no requirements for password length or complexity, and the plain-text passwords of all of the system’s users could be viewed by approximately 300 people in the IT department. A year after LPL was aware of the vulnerabilities, they hadn’t taken any action to correct them, and the system was inappropriately accessed to make unauthorized trades in customer accounts. In the SEC’s action against LPL, they called the company in “reckless disregard” of regulatory requirements for the protection of customer data.
I spent some time reviewing the SEC’s press releases for the past 18 months, and found no other actions taken against any company as a result of an information security problem. The vast majority of censures and fines are related to fraud.
So, would it be better to be blissfully unaware of your security issues, or be fully aware, and just refuse to act? Most laws in the US are written so that active or constructive knowledge (or “knew or reasonably should have known”) can be used to make a legal case against someone. In other words, you can’t claim innocence if you should have been aware there was a problem. However, in the minds of the people in a regulatory agency or on a jury, is it worse if someone knows and does nothing, or if they could have known but didn’t? It is, after all, people who decide the punishment based on the facts of the case.
I don’t mean to suggest that ignoring the need to perform a security audit is an acceptable substitute for fixing vulnerabilities. Nor do I mean to suggest that LPL would have been better off without a security audit. However, if a company knows there’s a vulnerability, the company must act to correct it, or it risks significant liability if and when the vulnerability is exploited. The reverse of that statement may also be true in some (albeit very few) cases. If you know that nothing will be done to fix the vulnerabilities in a system, you might be better off not knowing about them.
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
Comments
No comments yet.
Leave a comment