It's a repetitive cycle- corporations aggregate our data without our consent, corporations sell our data without our consent, and criminals steal our data by exploiting the companies that don't adequately protect that data. Despite the frequency of PII loss, and the disproportionately negative impact for those effected, many practitioners see their organizations routinely underfund or neglect their information security and identity programs. Furthermore, when existing regulations (or the lack thereof) fail to get companies to invest in securing identity data, what non-regulatory recourse remains to force organizations to remedy their security posture? In this session Jon Lehtinen outlines what actions, if any, can be considered an appropriate response to this pattern of corporate behavior, the future risks this continued behavior may bring, and how identity professionals can work to align the interests of their employers to the interests of those impacted by these lax corporate security practices.

1. Hi.
I’m Jon Lehtinen.
I want to talk about when whistleblowing should become the response to corporate
negligence.
Before I get blacklisted, or I go back home and my badge stops working, I first need to
say that
1

2. 2

3. One of the more obnoxious pieces of advice a leader gave me early in my career was
that “perception is reality.”
He meant that I had to be careful and empathetic in how my words and actions could
be perceived by others, namely my customers.
Whenever there was conflict or issues regardless the justification, the reality for my
customers was that something was wrong, and the thing I was responsible for was
the source of their problems.
There were 1579 breaches involving PII in 2017. As infosec and identity professionals,
this is very much a thing we should be concerned about.
Let’s talk about the cost of these breaches in terms of time and money
3

4. Ponemon Institute – 2016
4

5. But what of the human cost?
We are infosec/identity professionals, we are in tune w/ this stuff. What about retail
workers, retirees, students, and everyone else?
How must they perceive this, if they are even aware outside of breach-fatigue?
Time cost:
Enabling credit freeze
Enrolling in credit monitoring
Canceling fraudulent accounts
Changing accounts/payment options for impacts services (utilities, websites, stores,
etc)
Identity theft of children
How burdensome is this- it often costs a fee to freeze/unfreeze your credit.
25% population is Unbanked or Underbanked
44k total wealth (all accounts, possessions, everything, not just liquid capital)
5

6. Comparatively, a corporation has cumulative time of its employees at its disposal.
It’s also functionally immortal, being a legal personage.
It also has fewer constraints and much more capacity to influence power structures
than the puny humans it is inconveniencing.
6

7. Let’s pick on the biggest breach of 2017.
There are 249mm adults in the US, this breach impacts about 3/5 of every US adult.
The estimated cost of remediation (restitution, fixes, etc.) is $600mm as of May 2018.
Equifax is worth 3.2 billion per its 2017 SEC filing. That’s still a sizeable ratio of cost to
equity, but the marginal utility of money suggests that for an org worth 3.2 billion
losing 600mm is less impactful when 50% of American families do not have the
liquidity to cover a surprise $400 expense.
7

8. So let’s examine how the markets are reacting & enforcing good PII handling
practices.
Equifax lost ~30% of its stock value after disclosure, but recovered over time and now
hovers at around 14% less than pre-disclosure.
I’m not saying that’s good or bad, nor am I making a normative statement that it
should be a certain value. I’m just saying what happened.
8

9. But if we zoom out just 5 years, we see that Equifax is actually trading at about 2x its
post-disclosure price.
From the perspective of folk expecting a market correction, it seems that Equifax is
still in a superior position compared to just a few years ago, so that dip doesn’t really
reflect much of a correction at all.
9

10. No lasting consequence for malfeasance
No regulatory response, stock price nearly recovered
Golden parachute for execs IF they are forced out
10

11. “ From a corporate governance and accountability perspective, cybersecurity today is
being treated like accounting was before the fallout from the Enron scandal inspired
the Sarbanes-Oxley Act’s increased standards for corporate disclosures. “
“A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her
responsibility. Investors and consumers need to demand more from the executives to
whom they entrust their digital lives. The same holds true for government. Protection
of the welfare and livelihood of its citizens is a foundational principle of government,
and yet for more than a decade there has been very little consequence for nation-
states and state-affiliated groups who’ve pilfered the intellectual property, and
violated the personal privacy, of citizens and companies around the world.”
Both enterprise and government are asleep at the switch here.
11

12. We do not have our Sarbanes Oxley of identity, though we had our Enron-class
disaster in Equifax.
When the companies themselves are not accountable, and when the government
that allows that company to operate is incapable of holding them accountable,
populist indignation may begin to manifest itself in unexpected ways to force
accountability- this is a recipe for whistleblowers and insider threats motivated not by
gain but by “justice”
12

13. How did we get here? I think we need to consider the entire landscape of the last 35-
40 years to see how how the slow build of changing corporate, governmental, and
socioeconomic structures positioned us so precariously. I’m going to talk in general
trends here, and I’ll avoid normative statements and editorializing
13

14. Consider how enterprises have changed over the last 35 years.
Contracting vehicles, contract to hire, push risk of employment relationship onto
prospective employee.
4-year degrees have become the minimum requirement for an entry level job.
Sometimes unpaid internships are required to show work experience BEFORE starting
a career.
Companies tend to hollow themselves out to reduce cost in the short term at the
expense of long term stability.
And anyone who has worked enterprise can tell you how hard it is to get budget for
anything that is not a revenue generating activity (like retiring technical debt)
14

15. Rolling back of the changes made during the New Deal and labor movements
Decline of union power and steady legal erosion of worker protections by regulatory
agencies, legislatures, and the courts
As global trade opened new markets, de-industrialization, and the rise of increasingly
specialized labor- necessitating those expensive degrees to get entry level jobs,
assuming you were apt enough to do that work. Deindustrialization just meant now
you did unskilled labor very cheaply.
Eventually replacement of governments as the locus of power in society
Regulatory capture
15

16. Decreased investment in public education as it became a requirement for work
This happened at a time when state funding of school stopped, and tuitions grew at a
rate several times faster than inflation.
Unlike all other forms of debt, student loans become impossible to discharge thanks
to a series of laws in 1976, 1984, 2005.
On top of carrying $1.5T of UNDISCHARGABLE debt required to get the credential to
get an entry level position, wages stagnated relative to productivity.
Public instate up 237%, out of state 197%, private 147%
Rising opiate overdoses, suicide rates- CDC says up 25% over the last 20 years.
Adam Curtis – No Future. We recognize something is wrong, but not knowing how to
react we continue onward. We have given up on the notion of a better future.
Delivery of information is efficient, everything would be fine- but this ignores that
there is absolutely nothing left to say.
16

17. Millennials & Post-Millennials are 40% of the workforce, rising
I shudder at mentioning generational politics, but this is relevant-
Because
Started careers during Great Financial Crisis
They saw the carnage from the layoffs that came with the Great Financial Crisis, and
experienced the headwind of building a career in that environment
Often carrying un-dischargeable student loans (law changed in2005) because they began at a
time when college degrees and unpaid internships were how one launched a career.
Fear of default on those undischargable loans reduces negotiation power come raise time- of
course its not like COL/annual raises have been keeping up w/ inflation since the GFC anyway.
17

18. A workforce experiencing perceived injustice (not just for themselves) but also for
everyone else who is suffering under this power imbalance, and having a lack of faith
in the traditional avenues of redress leads to whistleblowing/vigilantism/something
else.
18

19. If this sounds unlikely, consider that this has already become a pattern in
government where the stakes are much higher.
Edward Snowden
NSA mass spying program
Chelsea Manning
Collateral Murder & diplomatic cables
Reality Winner
NSA memo on Russian interference in 2016 elections
19

20. If an organization will only fund the fix to IAM/security after a catastrophic incident,
then raising the risk of such an event may be seen as a forcing mechanism
What is the “ethical” response to someone who holds corporate wellbeing/their
career in lower esteem compared to the greater good of millions of real people when
they see ignored vulnerability that puts the PII of millions at risk that won’t get fixed unless it
breaks?
But Jon, society is broken so to whom would the whistle be blown? Exposing the
problem raises the likelihood of exploit. Fair.
What would it take to shame an organization into action? Think an anonymous reddit
post or tweet- the bar to expose your organization’s dirty laundry could be alarmingly
low.
20

21. Rather than just focus on how bad things are and how scared we should be, let’s
instead focus on the spheres of influence & control we do have.
21

22. Actions to take immediately as an enterprise
Establish a process for reporting risks
Gets visibility to controlling stakeholders who are likely unaware the
technical implications/existence of such a weakness
Transparency in Risk Mitigation calculations
Risk= Probability x Loss may not be known/understood
Sharing WHY that technical debt may go unresolved (if cost of
remediation is worse than the cost of an exploit) goes a long
way toward stemming potential resentment, AND building a
culture of transparency and security
Update your insider threat models to account for the “altruistic” leaker
Consider not being “evil” (another touchy subject as we categorize evil)
Collection, disclosure, and consent policies
Corporate citizenship
Voluntary compliance to GDPR framework
22

23. Remember the political component at play here.
I use politics not in the “rah rah red team/blue team” distraction, but in its rawest
form- the acquisition and application of power to implement policies aligned to your
interest
In this regard, politics have been exercised quite effectively on behalf of corporations
to reduce liability, responsibility, and operational friction at the expense of
individuals, but we should remember that ostensibly that power can be still be
wielded by us.
Further more- Steve Wilson – Technology is political
Blockchain – great financial crisis
Open source software
Self-soverign ID – this problem
Don’t resist wielding power. If we continue to think embracing politics or political
thinking is gauche than we leave a potent tool out of our toolbox to fix this.
23

24. 24

25. What organization can offer certification that an organization practices safe PII
handling?
IDESG used to certify organizations, but it was self-attested. Is IDESG still
relevant?
IDPro is dedicated to raising the quality and quantity of identity professionals.
IAPP is also focused at the individual level.
It appears there is a gap to be filled here.
25

26. Opportunity for ID Professionals
Build a process and framework for reporting dangerous PII situations?
Consider the zero-day reporting/research process used by many tech
companies. Is this a pattern to follow?
What organization could become the non-governmental arbiter for
reporting/reconciling these issues until government steps up (if ever)
If we care about PII protection, simple process execution in infosec
(patching, change management, defense in depth) are still the best
way to prevent bad stuff from happening.
How do we handle unresponsive organizations?
26

27. Finally, the most atomized unit, the most personalized sphere of influence and
action– yourself
If your organization makes you feel uncomfortable with how they are handling
PII data (even though they may be handling it “legally”), leave.
Identity & security talent is in demand, and you shouldn’t have to compromise your
principles.
27

28. So it’s been a winding road to get to the end of the presentation, but let me finally
answer now “when should whistleblowing become the response to corporate
negligence?“
Never, it absolutely shouldn’t.
But given the confluence of factors at play, and no relief in sight, I find it likely that a
growing number will decide it is better to expose an organization’s dirty laundry to
the world to force action than risk the real human cost of another breech.
And I feel we ignore this situation to our peril.
Thank you.
28

29. 29

30. 30