23andMe is in the headlines because they suffered a security break-in that revealed private information for their users. 23andMe has taken to the headlines to claim that their users are the reason, the cause of the failure. In short, 23andMe claims that users reused their passwords from other sites, thus enabling hackers to break in.
I do not know why I have to say this, but if you (corporate or person) collect information from me for a specific purpose, then you have the responsibility to protect that information from other users and hackers, and you have the further responsibility to use that information only for the purposes under which it was collected.
I protect my personal information at home and I surrender that information only for purposes that I choose. I expect you to protect my personal information in exactly the same way. This is made explicit in HIPAA laws in the United Stated and in personal privacy regulations elsewhere (e.g., GPDR laws in the EU). Should you fail to protect my information, you are subject to liabilities and consequences.
Furthermore, I provide my information only for specific purposes (again, see HIPAA and GPDR for examples), and you need to limit yourself to those purposes.
Companies and individuals set up security protections for these very reasons. Everything from firewalls to encryption and more are technologies for security and protection of systems and information. For 23andMe to turn around and blame users for any data breaches is absurd. 23andMe bears full responsibility.
Why do we have to say these things? Are there no adults running 23andMe, no adults who can guide the rest of their company to do the right things?
Rant over. The photo is of a 10th-11th Century castle built for protection in Portugal.
No comments:
Post a Comment