I run a small cyber security firm. I was
doing some work for a client who asked me to do some compliance work. After
waiting about a week and a half for my contact within the organization to email
me some important documents so I could get started in the first place, I got
Hey, before we get started, could you give us a “seal
of approval” saying we comply with these standards? I want to be able to send them to some of our
Me: Well, I can’t give you that until I’ve actually done that work.
Telling people that you’re compliant to a certain standard, and then accepting
information that is protected under that standard before you actually are is
illegal. And, frankly, unethical.
some back and forth:
I don’t think this relationship is going to work, I’m
Not an optimal conclusion, but at least
that was that. Or so I thought.
Two weeks later I got an email from a
different company asking about this client’s compliance standards. I informed
them that I had not actually done any work for this client and so could not
when they told me I was lying, because this client had an image on their site
that declared “Secured by” ME. I checked, and sure enough, there it was. That’s
when I decided to get back in touch.
Me: Immediately take down the image saying that I say you meet security
compliance standards. I did not do that work, I do not stand by your compliance,
and your false attribution could hurt my business.
We made the image, it’s ours to do with as we like.
Me: …Are you serious?
contacted my lawyer.