

Ask HN: Why is the resolution to data breaches:“We will offer credit monitoring” - a_lifters_life

Why do companies continually seem to do this? And not remediate the vulnerabilities inherent in their systems?
======
davismwfl
What is worse about this is that credit monitoring does nothing to protect
you, it only alerts you _after_ the fact.

The issue I have seen in a few incidents is that a company will fix the 1-2
issues that they feel caused the data breach but not take a serious look at
overall security. To me that just means they aren't serious and realize that
the cost of providing credit monitoring is cheaper than fixing issues and
consumers aren't demanding more so it passes as good enough.

What is going to have to change is that consumers in quantities beyond 1-2's
are going to need to start suing for damages. Personally, I think the damages
could be fairly high. Think of the cost of credit, lost or reduced employment
opportunities, car insurance etc. All of which cost more or are damaged when
your credit is dinged regardless of the source. Multiply that by the years it
can take to repair your credit even with all the proper legal documents etc
and then by the number of consumers affected in some of these cases. That
could be a big number which starts to get corporations to change their tune
about security.

Of course, to me Credit Bureaus is an industry ripe with potential to disrupt.
The problem is the barrier to entry is steep and the incumbents are not going
to let new players in without a major fight, so my guess is the cost would
likely be high.

------
devonkim
Everyone has their own reasons for not actually fixing the root cause of so
many problems, but I've found that the larger the company and the larger
systems entropy that's been uncontrolled has manifested the less the business
actually has any truly actionable control over actually fixing anything
anymore - the inertia of old, bad systems that your business relies upon to
keep the lights on is just too much to overcome. For starters, legacy
application architectures and systems that just can't be offline nor actually
fixed by a vendor can be a hard block. Add in so many vendors and contractors
involved as standard for most large companies, add a lot of internal politics
to the mix, and the reality becomes that the most cost-effective solution is
sadly to just not fix anything and to just pay for PR damage and the credit
monitoring and some more random security consultants to make people feel
better somewhat.

A big component of real world security practice is that fixing things has
real, serious costs and so businesses will compare those costs to the costs of
simply not fixing them and rolling some dice.

Even the ever-critical Bruce Schneier understands and recognizes this reality.

------
paraxisi
Fixing the problem after the fact does nothing for the people affected by said
vulnerabilities. Sure, they can fix the hole and assure people that it's
fixed, but if you've had your identity stolen/etc, that's not much
consolation.

------
cgearhart
Because it has been established by precedent as a reasonable "consideration"
for the limited harm of losing your personal data. (You don't have actual
damages until your identity is stolen, not just your information.) It's meant
to show that they didn't do _nothing_ , without having to do anything more
expensive. It's the minimum they think they can get away with.

