Todd Davis, the CEO & Chairman of LifeLock, an information security company, recently released a blog post explaining that the company would be removing its LifeLock Wallet application from the major app stores because “certain aspects of the mobile app” did not fully comply with the PCI security standards, standards that are designed and enforced by each of the major credit card companies. In addition to pulling the app, the same blog post announced that all user data would be permanently deleted once the user tried to open the application. The announcement could lead to lawsuits, government investigations, and, almost certainly, a lot of unhappy customers.
This incident offers many lessons. The first lesson is that businesses need to understand fully the laws and regulations that apply to the product they offer or sell before it is released. For instance, in this case, the PCI security standards were implicated because the product stored users’ credit card information. The second lesson is that proper preparation saves money and headaches. Making a public announcement that a product does not comply with legal or industry standards is something that a CEO never wants to do. It can lead to governmental investigations, law suits, loss of consumer confidence, and, perhaps worst of all, the loss of paying customers. Reviewing your company’s products from both a technological and legal perspective prior to their launch can help to mitigate the risk that your CEO will have to make such an announcement and the risk that lawsuits and investigations pose to the company. The final lesson is that failing to design a product properly puts a company between a rock and a hard place with regard to existing information. In this case, LifeLock made the decision to permanently delete all of the information it collected from users over the lifespan of the product without allowing the user to first backup the information. As a result, many users lost forever the information they expected and relied on LifeLock to maintain. Yet, the situation highlights a much larger issue: is it better to inconvenience customers or to have their private information stored insecurely and potentially exposed to the public?
These lessons are painful to learn but can be avoided. Should you need assistance reviewing your products to ensure that they comply with the various federal, state, and industry standards for security and data protection, or would like to know more about this post, please contact us.