Businesses have a right to pick and choose the customers they do business with, so long as they do not violate anti-discrimination laws. And decisions by a particular firm not to cater to specific customers do not keep those customers from doing business elsewhere. But firms’ decisions about who to do business with can become problematic in the big picture.

morality_policeAs Nadia Kayyali and Rainey Reitman report at Electronic Frontier Foundation, when one Chase Bank customer had his personal account closed, along with his wife’s, he naturally asked the bank why. And he ended up getting three different answers.

Because of the nature of his wife’s business, said one bank reapresentative. Another, more specific, said that the customer’s wife was a “notorious” adult entertainer. Yet another bank spokesperson gave yet another reason, not the family business but the fact that they were doing business, supposedly, with a convicted felon.

Any time that a business gives three different replies to a single query – even an awkward one – it should be a warning sign that the company is not fully comfortable ease with its own policy. This does not mean that the policy is wrong, but it does suggest that the policy decision merits further consideration.

Whatever their intrinsic merits, morality-related business decisions often bear an awkward relationship to external pressure, from law enforcement, other government agencies, and public opinion. And because public opinion can change – or not be monolithic – business decisions can come around to bite the firm in unexpected ways.

These issues do not only revolve around fields such as adult entertainment. “Morality police” come in multiple flavors. Banks have come under pressure from government agencies to crack down on payday lenders, a legal but often unpopular industry. Should the banks give into such pressure? And how do they, or other businesses, decide what sorts of restraints are appropriate?

Information security is not just a technical issue. Decisions made on a security basis can touch many different public sensitivities, and are best made with a broad perspective on their possible implications. GRT Corporation believes that security is a holistic process in which multiple stakeholders can and should be considered.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”

Comments are closed.