It has been written that data is the new gold, the new oil, the new currency, and even the new crown jewels. It has become very popular to write about, and to capitalize upon, data as the new medium through which commerce is done. Unfortunately, while gold is typically transported in high security vehicles between highly secured facilities, and while no expense is spared in protecting national money supplies from theft and forgery, data is not managed this way, it is handled by software. This is software written twenty years ago for mainframes in sealed rooms, or software written by brilliant but unseen open source programmers to provide low-cost high-grade functionality, or software written by individuals with little formal secure programming training, looking to improve user experience and corporate profitability. Every major organization, enterprise, and government in the world relies on software, and there is virtually no consensus on what it means to have secure software, how to address existing insecure software, or even what "secure" means. Given that software currently enables or imperils most aspects of our buying, selling, and communicating, it is time that responsible people acknowledge that this is a massive problem, and stop looking in the opposite direction. "See No Evil" is not a strategy.

This current state of insecurity begs for examination and acceptance of responsibility. Where many corporate failings will cause direct repercussions among the public and the market, the impact of a data protection failure is diffused by a lack of common understanding on its causes and its ultimate costs. The market and the public have come to expect these failings in privacy protection. One of the most common examples is found in credit card data theft. Customers are protected from fraudulent charges by credit card issuers, and institutions are protected from charges of negligence by the lack of concrete and required best practices. The issuers are anxious to continue to maximize the use of cards and the numbers of transactions, and therefore shield the victims from actual costs. As a result, the transaction system, in many cases funded by credit card fees and interest rates, bears the burden for mitigating these consequences, thereby muting anyones sensitivity to the problem, and decreasing the likelihood that strong measures will ever be taken to prevent their recurrence. In this example, it is clear that the damages do not twist the right arms; the public is only modestly inconvenienced, and the offending organization sees little diminution of customer confidence, while bearing only a fraction of the total cost of the breach.