For whatever reason, I’ve been pondering similarities and differences between financial and IT risk lately, and one big difference seems to be around reputation in these two areas. The financial world painstakingly maintains institutionalized memory of credit issues through standardized credit ratings. Companies, cities, and even countries are rated based on current and past performance, and a ratings downgrade is a BIG deal.
Why isn’t there an analogous service for systems security risk? For example, Mike Ramirez just pointed out a data breach at Monster.com, I’d love to go somewhere and see, was that the first time? Have they been breached before, and I simply didn’t hear about it? How about Heartland Payment Systems? It seems to me that right now, companies can get away with repeat offenses, simply by flying under the radar.
Of course, there is always the Listeriosis Clause to consider — who do you trust more, the company with a dedication to quality that is forced to disclose, or the lazy/ignorant company who never even looks, and therefore never has to tell?
In any case, I’d like to see collections of disclosures about the various services I choose to use or do business with. I’d like to see data collection for the purposes of comparing privacy policies, TOSs, known breaches of or challenges to those policie. Another issue that I believe could gain prominence is being able to easily research whether the companies I interact with are sending/storing my information across international borders. I think there would be some really interesting discoveries in such a body of data.