I came across a little publicized story this week that presents an interesting parallel to my constant message of privacy & security diligence. Here is the story: The Yamaha Motor Manufacturing Corporation has been making an all-terrain vehicle (ATV) in the U.S. called the ‘Rhino’ since 2003. The Rhino is different than its single-passenger predecessor since it allows for two passengers to sit side-by-side.
Four years later, the company added a few safety updates like more passenger hand-holds. Lawyers for some injured drivers (plaintiffs) jumped on the company’s move insisting that the reason the safety features were added was because the vehicles were not safe in the first place. Naturally, lawsuits piled in. Overwhelming a company with so many lawsuits that it figures it’s easier to settle then fight was the approach the plaintiff’s attorneys took. The attorneys attacking the company even petitioned the Consumer Product Safety Commission (CPSC) to aid their suits by trying to force Yamaha to recall their vehicles.
Yamaha did not feel a recall was warranted and even worked with the Consumer Product Safety Commission to make other modest safety changes that would satisfy the agency.
Most importantly, the company responded to the litany of lawsuits in an uncommon way: It decided to fight back.
The company was ultimately vindicated as it proved that in a significant number of instances, the drivers of the vehicles were grossly at fault due to their own behavior. Though riders are cautioned to operate the vehicle properly, the CPSC investigations indicated that product defects, insufficient warnings, negligence, etc., was not the cause of the injuries.
What’s the takeaway then? The company believed in its product, it believed it had provided sufficient safety and precautionary advice to its customers to operate safely, and it had decided to stand its ground and fight back on a principle of having done the right thing. (How unorthodox!)
And what is the connection to privacy & security? Companies create and publish rules and guidelines all the time for their employees on why and how it expects the employees to follow those policies. Some times the rules aren’t followed. Often, the rules are only words in a document on the company Intranet to make Legal or HR happy. Sometimes the Information Security team is only a paper tiger with little enforcement power or ability to bring about change and assure compliance.
But in some cases, the company itself, usually with the tone set at the top, decides to practice what it preaches and enforce the rule; make examples of those who purposely attempt the flout the rules, and inform those who do it unwittingly.
These days, consumers are savvier than ever about information. They know the value of their information and they want it protected. A customer will walk away from a company who only pays lip service to the principles of privacy & security, and they will excoriate the company online in blogs and forums for doing so.
The twin pillars of privacy & security in a company can easily be an asset and competitive advantage to a company who knows how to leverage that expertise, and maintain its diligence. I know it’s not always easy to keep up the pressure. Employees get comfortable; employees get lazy. IT can sometimes be a hindrance and not a help to getting the business of the company done, so creative employees will go around the roadblocks to meet deadlines. Privacy & security sometimes suffers. When a company becomes lax, or inertia sets in, the guard gets let down and rules are no longer followed or enforced. That’s when incidents happen; that’s when headlines happen.
If a company believes in its principles, believes it has provided reasonably sufficient safety and precautionary advice to its employees to treat and handle information securely, and it decides to stand its ground and fight back against the perpetual inertia of letting violations slide by because its easier than making a fuss, then it has done the right thing. It will fight back and should fight back. Why? Because privacy & security is worth fighting for.
