Sure, many places implement significant security measures to protect their user's data, but that's because those developers and product managers actually have a clue or two. An army of ignorant managers and developers do not; they can barely produce functional products, much less functional and secure products. Those clueless people are the cheapest option when a company contracts out for application development -- often without any idea of what the code actually looks like, only that it functions. Rarely will a company that goes for the low bid on a contract spend extra for an independent security audit.
Yet when the public uses these apps, they have a significant level of trust. I mean, they already have an Amazon account, an eBay account, an account at their bank, and so on and so forth. They're all basically the same, right? And as many studies have shown, users often employ the same user name, email address, and password across the sites they frequent. That dumb move makes an individual's personal privacy and security as good as the weakest link among all those sites.
So while it's illegal for your doctor or nurse to tell someone else about your last visit, it's perfectly legal for a company of any size to collect vast amounts of sensitive user data and release it to anyone who happens to come across it on the Internet. As long as it's not medical information, HIPAA doesn't apply, so there are no repercussions other than a PR hit. That needs to change.
As you read this, someone out there right this second is coding an application that will store clear-text passwords and other information without any form of security. Very likely, the password retrieval system for that site will also email that same password back to the user rather than use a randomized password generator with a one-time temporary password and a fixed expiration time. God help me, they're probably not sanitizing their database calls.
These egregious examples of horrible coding practices need to be regulated; blanket guidelines regarding data compromise miss the mark and address the situation after the fact. Any developer worthy of the name must agree that we'd all be better off if unspeakably poor design choices like those I've described were eliminated forever.
As events have proven time and again, this is not a problem that will regulate itself. Companies will continue to go with the low bid, and the low bid will continue to employ substandard coders and managers. The cycle will continue, unless penalties make it very painful to play so fast and loose with customer information.
This story, "Why those guilty of bad coding must pay," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.