Technology advertisements that cross ethical, legal lines
It's hard to tell fact from fiction in technology advertisements, says technology and security consultant Kevin McDonald. These irresponsible claims about a product's compliance or security capabilities can have ethical and legal consequences.
Most of us know the car we see on a TV ad won't really jump onto the back of a bus from a high bridge. It is much more difficult to tell fact from fiction, however, in technology advertisements. What is hidden under the hood of a new or highly advanced technology is often what makes it valuable. It is with a certain amount of faith or trust that businesses and consumers buy our products and services.
I would bet those who know me personally will attest to the fact that I am a huge fan of fair competition and its resulting drive to innovate and improve business in order to beat out competitors. I embrace the war that is competition. However, there are rules of civility, even in a war (well, in some communities, anyways).
The ethics of advertising and selling in technology and compliance is one topic we have not heard much debate around. Yet, it seems it is a topic that impacts us all and can play a major role in determining the winners in a market. I have touched on this topic in previous articles featured on SearchITChannel, but I would like to go deeper here.
I believe there is a lack of ethical responsibility taken in the advertising of technology and related services. Such reckless advertising is leading us into a far less secure and, in some cases, an even more dangerous world. It is one thing to mislead consumers with ads or sales materials for a diet or hair product, but it is entirely something else when the duplicitous marketing involves regulatory compliance, safety and security.
What led me to write this piece, you ask? Seeing technology advertisements and presentations that say things like, "You can become compliant with X," "We have a shiny widget that is compliant," and, "We are a compliant organization." The truth is, these are most often inaccurate statements. They are declarations that are neither verified nor backed by any government body.
Client organizations, including defense contractors, online retailers, and healthcare providers and their vendors and business associates, should be able to trust at least the most basic claims made in the advertisements. The problem is, organizations and individuals -- on what seems like an almost daily basis -- make claims and/or repeat inaccurate or misleading information to sell their wares. I do not intend to call out any of these false advertisers, so I will speak in generalities.
Let's be honest. You know what I'm talking about. Some technology companies will simply make things up or use misleading "trigger" words, like "100% secure," "compliant," "simple," "easy," "a few steps to success," and so forth. I assume some service providers and product vendors' marketing materials are merely copied from the marketing work of others (which is another subject worth looking at). In this material, statutes are often quoted arbitrarily or inaccurately, or quoted from outdated sources. Some presenters and trainers are also behind the times, leading their audiences astray. But in all cases, it is inexcusable to present unconfirmed information that could cause others to run afoul of the law.
It is not difficult to see that some of the folks who issue false information simply don't understand the legal implications of what they are saying. Others intentionally act dishonestly.
Let's look to the Healthcare Information Portability and Accountability Act (HIPAA) as an example. In the past few months, we have begun to see activity from droves of value-added resellers (VARs), integrators and "consultants" with zero to extremely limited knowledge of the healthcare market. Some opportunistic vendors have tried to revive or morph their products in an effort to take advantage of HIPAA-related opportunities. Some vendors are trying to jump from the market segment or "Bogeyman" they claimed to have addressed previously into HIPAA and healthcare IT.
My issue is not with those companies finally beginning to see the market opportunity offered by immense gaps in healthcare organizations' technology positioning and/or compliance. What I take issue with is the often spurious claims companies make as a result.
Regulatory compliance is serious business, and actions taken in relation to such a business can have a direct impact on consumers, employees, boards of directors and the organization as a whole. Working in a HIPAA, Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) or other stringently regulated environment is not like working in your typical small and medium-sized businesses or enterprise environment. Every action you take -- and some you don't -- can have significantly negative civil, and yes, even criminal, implications.
I can't tell you how many times I have heard things like, "Since my vendor said that it would make me compliant, I assumed that it would." Unfortunately, "I assumed" is not a defense and, in some cases, might actually be turned against the purchasing consumer or the VAR that didn't complete their due diligence. I recently had a conversation with a vendor sales person about compliance and asked what kind of training his sales team had received. The response was eye-opening to say the least. It went something like this: "Training for what? That is the legal department's problem." When I raised several concerns about the product claims he was making, he said, "Not my issue. I won't be the one in court."
It's not simply with those selling into end users that I take issue with. I also take issue with the vendors that are selling tools to service providers by making claims like, "Spend just 30 minutes on this webinar and buy our super technological fairy dust with cool LED lights and stainless steel boxes, and you too can be a security consultant or (insert regulation)-compliant service provider."
Here's the deal, everyone: There is no single technology, no company and no service that in and of itself -- or even in combination with others on a one-off basis -- will ever make you or your client secure or compliant in the vast majority of instances. Knowing how to use a piece of software does not make you a qualified security expert or consultant by any stretch. What it makes you is someone who knows how to use a tool … maybe. Yes, although compliance is a process that frequently involves some technology, there is no easy road to compliance. Anyone that tells you otherwise is either ignorant or not telling you the truth.
Let's look at some of the realistic consequences of using misleading technology advertisements or claims in sales.
- You may be breaking a myriad of laws and regulations. Many business owners do not realize that it is actually illegal to falsely claim your company is better than a competitor or that your product performs in ways other than it does in reality in order to deceive clients. It is illegal not just from the classic "false advertising" perspective, but also because it results in unfair competition. Honest businesses shouldn't have to struggle to compete with liars or deliberate exaggerators over other honest businesses.
According to the law firm of Sheppard Mullin, "Consumer and competitor complaints, rigorous government enforcement of false advertising laws, and industry self-policing are on the rise." The Lanham Act - 11 USC 1125(a) is one law that may be used against you: "Any person who … in commercial advertising or promotion, misrepresents the nature, characteristics, qualities, or geographic origin of his or her or another person's goods, services, or commercial activities, shall be [potentially] liable in a civil action by any person who believes that he or she is or is likely to be damaged by such act."
- By misleading the client, either intentionally or due to your ignorance, you are participating in the institution or continuation of an unsafe configuration. If the client uses your goods/services as advertised and then are later tagged for noncompliance and your claims are found to be untrue or misleading, I would argue that you have a significant issue on your hands.
For instance, if you have been classified as a business associate in healthcare, you could face civil action from the client and their patients. As a business associate, the government could also tag you with major fines and future actions from the Office of Civil Rights and the Federal Trade Commission.
In healthcare, misconfigured and insecure systems are less stable and more likely to be infected with malware, hacked, etc., than other verticals. Poorly designed or configured systems can also result in data loss, delayed medical treatment, mixed or inaccurate records, and so on. This goes far beyond the issue of privacy; it goes to patient safety. IT systems manage life-altering health records, medical devices, prescriptions systems and more.
- If you are dealing in national defense or military systems, law enforcement or other highly sensitive government areas, failing to be accurate and truthful could cost many their lives and or billions of dollars in lost intellectual property in the long run.
The bottom line: By providing products and/or services that were falsely advertised, you could be putting people's health and well-being at risk.
PCI compliance: Top five channel mistakes and how to avoid them
Non-legal professions offering advice on HIPAA BAAs may be breaking laws
Marketing gurus offer tips for modern businesses
Navigating the legal services market and the challenges it brings IT service providers