I run a small cyber security firm. I was doing some work for a client who asked me to do some compliance work. After waiting about a week and a half for my contact within the organization to email me some important documents so I could get started in the first place, I got this email:
Client: Hey, before we get started, could you give us a “seal of approval” saying we comply with these standards? I want to be able to send them to some of our customers.
Me: Well, I can’t give you that until I’ve actually done that work. Telling people that you’re compliant to a certain standard, and then accepting information that is protected under that standard before you actually are is illegal. And, frankly, unethical.
After some back and forth:
I don’t think this relationship is going to work, I’m
Not an optimal conclusion, but at least that was that. Or so I thought.
Two weeks later I got an email from a different company asking about this client’s compliance standards. I informed them that I had not actually done any work for this client and so could not comment.
That’s when they told me I was lying, because this client had an image on their site that declared “Secured by” ME. I checked, and sure enough, there it was. That’s when I decided to get back in touch.
Me: Immediately take down the image saying that I say you meet security compliance standards. I did not do that work, I do not stand by your compliance, and your false attribution could hurt my business.
Client: We made the image, it’s ours to do with as we like.
Me: …Are you serious?
I’ve contacted my lawyer.