Wednesday, October 21, 2009

Regulation Theater

Bruce Schneier introduced, to me, the concept of security theater.  The idea that much of what we see in terms of ‘security’ – TSA, Homeland Security, etc – gives us the illusion that something is ‘being done’ to make us more secure, but in reality does nothing – or at worst – makes us less secure.

I have grown to understand that regulation does much the same thing.  And this has nothing to do with “government bad, markets good.”  This is true because written rules are brittle, vague and unable to adapt to fluid situations.

I work for an organization that is bound by PCI guidelines – a private consortium of credit card providers that create security rules for companies that accept credit cards.  (I told you that this wasn’t an anti-government screed.)

The concept behind the guidelines are well intentioned.  Credit card companies are liable for losses due to the theft of credit card companies.  Unfortunately, they don’t have control over the entire transaction.  Retailers accept and store credit card numbers and have been one of the primary source for theft over the years.

But I can tell you with absolute certainty that these rules are not making retailers more secure.  We spend a lot of time and money so that we can pass the audits.  But little of this activity is actually making it less likely that credit cards can be stolen.

This isn’t to say that none of their rules should be followed – quite the contrary – most of them are simply common sense.  But, some of them are:

a) Simply not applicable in our environment – but the rules do not distinguish between risk and no risk, they say that you must do X

b) Less risky than other holes in the environment.  Every company has limited funds that they can spend on security (security is always a trade off between costs and benefits) and if we have a hole Y that has a 10% chance of loss and one Z that has a 1% chance of loss we will ignore Y in favor of Z if PCI hasn’t addressed Y.

The PCI – or any regulator for that matter – simply cannot know the details of every environment.  We have a pretty good idea what our risks are, but we can’t address them because we are too busy engaging in the theater of making PCI think its all OK.

If the card issuers really want the retailers to take the risks seriously they need to create the incentives for us to really care.  Make a retailers partially responsible for a breach.  Let us decide where the risks and rewards are – if we have skin in the game we are going to be much more successful than you trying to guess what is likely going to be a problem.

This is true for other areas as well – don’t create rigid rules like SOX & HIPAA with rules that don’t actually address the problem you trying to solve.  Make the failures expensive and the perpetrators culpable.  The results will be far more successful.

Technorati Tags: ,

POSTSCRIPT: Even knowing how many holes there are in most companies I fell safe using a credit card at almost any company.  The breaches require several steps of compromise and are unlikely more often than not.  Not impossible – but improbable.

Wednesday, October 14, 2009

Is This Called Reverse Rescission?

My father-in-law passed away early this spring after a very long, very painful battle with cancer.  The last 6 months or so of his life was spent in a cancer clinic receiving chemo treatments 2 or 3 times per week.

I can say pretty definitely that medicine prolonged his life, I have a really hard time deciding whether it was worth it – but those aren’t really conversations you can have with anyone can you?

After he passed away his wife spent months going through all of the medical bills trying to make sense of them.  He typically took care of these things, but those last two years were really tough and I think that he was getting a bit addled.

It took her awhile – maybe three months – to organize all of the bills and get them filed for payment.  But she finally completed that herculean task.  And then the worst happened.  The claims came back one by one with DENIED written across the top.

Not only had my mother-in-law lost her husband of almost forty years but the insurance that they had been counting on to cover hundreds-of-thousands of dollars was being denied to her.  Needless to say she was more than a little distressed.

To many of you this comes as no surprise – in fact you were probably expecting this outcome as soon as you started reading.  To the family, this was completely unexpected.

So she called the insurance company to find out why all of the claims were being denied.  It turns out that my father-in-law had changed his coverage about two years ago.  He changed that coverage to the most basic coverage that Illinois law allows.

Needless to say that the minimum coverage doesn’t cover extensive chemotherapy, frequent doctor visits, huge regimes of drugs and specialists that were used very liberally to keep the man alive.

I doubt that this is what he had intended to do.  Like I said, he was very sick – and very proud.  Too proud to turn the increasingly burdensome task of handling medical bills to his wife or anyone else in the family.  His wife felt the same way.

So she called the insurance company and pled her case.  Needless to say they were sympathetic to her story.  They had signed documents, the law and a case history of at least two years on their side.  My father-in-law did not have – nor did he pay for – insurance coverage that would pay for this massive set of bills.

But she never gave up.  She kept calling different departments at different levels of responsibility until someone finally relented.  Whether it was to get her to leave them alone or because they were persuaded that it was simply illogical that a very sick man would voluntarily cancel insurance that were paying for services that he was already using I don’t know.

But in the end they agreed to cover over $200K of bills – minus the missed premium payments.

Keep this in mind the next time you hear that all insurance companies simply drop coverage as soon as their customers get expensive.  I’m claiming that this practice is wide spread.  After all companies don’t stay in business if they simply give money away to everyone that asks for it.  But they aren’t necessarily the cold-hearted, money-grabbing bastards that they are often portrayed to be.

Technorati Tags: