June 13, 2011, 12:34 PM — Last week I was too quick to give CitiGroup credit for behaving responsibly after an attack on its online banking site that penetrated security on the servers holding half the data in records of 210,000 CitiGroup customers.
Unidentified attackers took customer names, account numbers, email and street addresses, but not Social Security numbers, CCV numbers or other data that would be used to confirm a customer's identity, which were stored separately.
I was trying to use CitiGroup as an example of how a responsible, secure company could also be breached and the differences a few simple security measures make. Citi lost half the data it held on 1 percent of its customers; Sony lost all the data on most of the customers it held on (at last count) 18 separate networks or sites, after failing to take any of those steps.
Citi, it turns out, waited between 10 days and three weeks to notify customers their data had been swiped. That's way, way, way too long to leave customers exposed while you go about printing new cards and conducting an investigation internally, which is what Citi says now that it was doing.
Finding out a company was as much weasel as hero during an emergency response for which you praised is not the kind of thing that inspires unlimited confidence in the ability of top corporate officers to make the kind of ethical, customer-supporting decisions they always say they do.
On the other hand, it makes Citi an even better example of why we need more consistent security rules for private customer data.
Banks are already required by federal regulations to maintain tight security, and are heavily incented to make that security obvious, because people don't deal with insecure banks.
That's why bank vaults used to have those giant steel doors in plain sight of the customers. It inspires confidence in people who spend their time in line for a teller trying to figure how they'd get through that door without getting caught – and can't do it.
If a company that thinks so much of its reputation for good security that it will spend extra money to make its vault door visible and attractive can wait three weeks to tell customers they've been robbed, online security regulations don't go far enough.
Detailed regulation isn't supposed to quash innovation. It's supposed to identify dangers to the public and require companies whose services might create those risks to rise to a minimum level of competence.