I was recently contacted by the CEO of an upstart company in the business health insurance space who wanted my company to enroll. While there were many compelling reasons to join forces with them, as any responsible executive would do, I wanted to know more about how my private data would be protected while in his hands and not mine.
I was presented with a shiny PDF that stated:
“All logged-in communications with (Company Name) are encrypted with SSL (TLS 1.2 ECDHE-RSA-AES128-GCM-SHA256 in Chrome/Firefox), the same standard used by the world’s leading financial institutions. Sensitive company and personally identiable information (PII) shared with (Company Name) is also encrypted using best practices, including rotating keys and AES-128. For users, all passwords are hashed using the PBKDF2 algorithm with a SHA256 hash and salt.”
Not perfect but not too shabby either. I like the way they compare themselves to the world’s leading banks. Not sure how that is quantified but hey, it does sound great to the uninitiated.
But wait, there is more! Additionally they state in that shiny PDF:
“(Company Name)s’ customer data is securely stored off-site in our own dedicated instance of the (Hosting Company’s Name) Cloud. (Hosting Company’s Name) is ISO 27001 certied and all of their data centers are staffed 24/7/365 by trained security guards, with access granted strictly on a “least privileged” basis. For (Company Name) employees, access to sensitive data requires two-factor authentication and is restricted to only those employees who are authorized by customers to perform specic tasks (e.g. customer service). We also keep a real-time audit log of all changes made by administrators, customer employees, (Company Name) employees, and our automated systems.”
Let me get this straight. The hosting company has the ISO 27001 certification and that entitles my company to usurp it’s essence as if it were mine? If that’s the case then I’ll just start calling myself esquire since I do business with lawyers or doctor since I see one from time to time.
I decided to do a simple SSL certificate check on their uber-secure site before I continued the conversation. I was surprised to see the Qualys SSL testing tool return the message: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.
The first thing I did was convey this serious information the the CEO who had engaged me and was so eager to earn a new customer. I also indulged him on a meeting invitation the following week assuming the problem would get fixed. I canceled that meeting just prior to it since nothing had been resolved and I would not in good conscience risk my company data with a company that does not value security more than as just window dressing.
That was People who know me, do know I’m all about consumer protections. You will notice I let all the parties remain anonymous but where negligence and deceptive business practices are concerned, that will not be the case for long. The FTC is our friend and it may be time to check in with them again very soon.
What are your thoughts about companies like this? Do you think public shaming is a viable mechanism to protecting consumers?